Malicious PDF — malware analysis report

Static analysis result for SHA-256 08f295169fdb8d5d…

MALICIOUS

PDF

66.0 KB Created: 2020-08-31 19:14:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b7c9f9bc262acfc69682dfdb22fe014 SHA-1: 16fbb7914c505a3bc2c2592c64e76bb13043fa23 SHA-256: 08f295169fdb8d5dd19d2a84dc303f98156aca56c454d8bb6e928a355c0cd640
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. This URL is embedded within the document body, suggesting an attempt to lure the user to a malicious site. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to benign Shopify domains but are likely used to mask the malicious redirector. No scripts were extracted, but the presence of a malicious redirector and the link farm behavior strongly indicate a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=map+vs+foreach+performance+javascript
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0438/3404/8669/files/a_weekend_in_the_country_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0437/5989/4689/files/bezunut.pdf
    • https://cdn.shopify.com/s/files/1/0431/7983/5547/files/ppsspp_games_for_android_dragon_ball.pdf
    • https://cdn.shopify.com/s/files/1/0435/7206/8520/files/52307809092.pdf
    • https://cdn.shopify.com/s/files/1/0435/3140/3423/files/nukaxemidafavupo.pdf
    • https://cdn.shopify.com/s/files/1/0428/4373/4172/files/unable_to_update_the_minecraft_runtime_environment.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/38692385895.pdf
    • https://cdn.shopify.com/s/files/1/0435/1341/3791/files/29453580599.pdf
    • https://cdn.shopify.com/s/files/1/0434/0957/1990/files/tilusifo.pdf
    • https://cdn.shopify.com/s/files/1/0432/3350/9534/files/sivufagudo.pdf
    • https://cdn.shopify.com/s/files/1/0430/5806/9655/files/marc_mezvinsky_net_worth.pdf
    • https://cdn.shopify.com/s/files/1/0435/8085/0335/files/carpal_tunnel_syndrome_patient.pdf
    • https://cdn.shopify.com/s/files/1/0432/7368/3112/files/bagels_and_beans_menu.pdf
    • https://cdn.shopify.com/s/files/1/0435/5126/0823/files/gomamikixu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wijabogose.pdf
    • https://cdn.shopify.com/s/files/1/0430/3552/5282/files/19737126639.pdf
    • https://cdn.shopify.com/s/files/1/0431/0201/1548/files/midland_xtra_talk_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a110.bin
9d2ce943b253017d3522d4a1610bbce0e0d9bfdcdfdfc4333df753ad7f928608		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA110 5364 bytes
font_01_sfnt_off0000b336.bin
2d1c02d7faeb7dad5af5d103f135926a0d4fd4e69f3a7da8959d46cf8e88466d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB336 3120 bytes
font_02_sfnt_off0000bfb9.bin
a4e2cc4b2989ee01cbe934d43f565ad25f6281e8d442c505d2430048639aece9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBFB9 11000 bytes
font_03_sfnt_off0000e573.bin
20dc835fdb26e5c8b2bf371a74de3f1f2251d0d540cd54084ecb3d27d8cc4587		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE573 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.