Malicious PDF — malware analysis report

Static analysis result for SHA-256 08aa0e14d5adecfb…

MALICIOUS

PDF

42.8 KB Created: 2020-08-04 23:30:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8a50b3ada45eda98f7171d18a26f798 SHA-1: 83c27ee9c82958860ea97a6fae546bb9dbbb20c6 SHA-256: 08aa0e14d5adecfbed592ecab159a024dfd6c1de5936eb29feb1828f6bb4d2bd
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, ttraff.ru, which is disguised as a manual. This heuristic, combined with the ML classifier flagging the PDF as malicious, strongly suggests a phishing or malware distribution attempt. The document body also contains numerous links to benign-looking PDFs hosted on Shopify, likely part of a link farm to improve SEO for the malicious redirector. No scripts were extracted, but the primary attack vector appears to be social engineering via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=allison+transmission+operators+manual+pdf
    • http://files.desertrambler.com/uploads/1/3/0/7/130739260/1c87141cf1a.pdf
    • http://files.backwaterinc.com/uploads/1/3/1/8/131856723/kojazubupirafu-xekokunex-fixedag-panutofomod.pdf
    • http://files.finalmile.ink/uploads/1/3/0/8/130814605/787699.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/6836/6760/files/principles_of_macroeconomics_7th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0430/6881/7562/files/87138350071.pdf
    • https://cdn.shopify.com/s/files/1/0428/5513/7447/files/41388269731.pdf
    • https://cdn.shopify.com/s/files/1/0436/0224/7838/files/ronevuxiwe.pdf
    • https://cdn.shopify.com/s/files/1/0430/6088/7705/files/pewape.pdf
    • https://cdn.shopify.com/s/files/1/0435/1823/0688/files/mozafevujenamat.pdf
    • https://cdn.shopify.com/s/files/1/0430/5479/2866/files/zitolixavelatus.pdf
    • https://cdn.shopify.com/s/files/1/0430/0757/4179/files/7475263874.pdf
    • https://cdn.shopify.com/s/files/1/0431/8176/8872/files/20455712015.pdf
    • https://cdn.shopify.com/s/files/1/0430/1560/2337/files/wipefebasozerudaxexugip.pdf
    • https://cdn.shopify.com/s/files/1/0431/6617/1297/files/gabilasosonevu.pdf
    • https://cdn.shopify.com/s/files/1/0438/1828/7266/files/lokokewujum.pdf
    • https://cdn.shopify.com/s/files/1/0433/7526/3909/files/67685972502.pdf
    • https://cdn.shopify.com/s/files/1/0430/8749/5321/files/non_cash_expenses.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b10.bin
a54a6e23446f614d7d893067c88cb733daa9facb9794799df67a73f860f3669b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B10 5176 bytes
font_01_sfnt_off00007c95.bin
29e6265674c3ae96b3f148e20b7ffd03d318834feed7731b24e6416b769811f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C95 9652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.