Malicious PDF — malware analysis report

Static analysis result for SHA-256 08c7882537367773…

MALICIOUS

PDF

85.4 KB Created: 2020-07-30 12:50:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 568b7fb32ac428352498b6abe6d4cfb6 SHA-1: fa18cb95d0b887b457a6613704a661a2f7332be7 SHA-256: 08c78825373677736d355524e2aa1828d84bd07bb7259bbc45448b6a7824c3c4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK pointing to 'ttraff.ru'. Another critical heuristic, PDF_SEO_LINK_FARM, indicates a large number of external PDF links, suggesting a link farm or SEO manipulation tactic. The ML classifier also strongly flagged this PDF as malicious. While no scripts were extracted, the presence of malicious redirector links and the sheer volume of outbound links indicate a high likelihood of this document being used to distribute further malicious content or lead users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=types+of+ambush+marketing+pdf In PDF document text
    • http://files.iachristiancounselor.com/uploads/1/3/2/8/132814343/5291668.pdfIn PDF document text
    • http://files.bottledeliverytoronto.com/uploads/1/3/1/8/131872178/ade8a.pdfIn PDF document text
    • http://files.acompassionateway.com/uploads/1/3/0/8/130813829/tuzubozuru-moguzok-famofolo.pdfIn PDF document text
    • http://files.cafeindia559.com/uploads/1/3/1/1/131163953/d98858f34deb246.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/4560/0931/files/23416481877.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/9938/2170/files/tegiga.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/9328/5277/files/13768876419.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0428/5782/4419/files/92669308766.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/8923/9969/files/11477684342.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0436/0686/8131/files/60694964529.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/3061/8011/files/wuduzivifemulo.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/3477/1610/files/99598691558.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/8451/3444/files/35909896465.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/1527/2605/files/40743900472.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/2363/7399/files/paduketozajobuxoza.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0436/0876/8675/files/26572228025.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010e75.bin
ba1e3589057ad8730bafde81f2866e4d8c003904f1d3ddbcc36d9a09dac93043		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E75 5560 bytes
font_01_sfnt_off00012138.bin
ad63c8c91a72b0f3c269afad8b2299f59592f2c65ff24dce81d544b3591c17c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12138 11524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.