Malicious PDF — malware analysis report

Static analysis result for SHA-256 09f00e386f70eb3c…

MALICIOUS

PDF

62.2 KB Created: 2020-09-15 13:53:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08bc9987f696968c266fabd92f7ef01a SHA-1: cd0d5f57c360bc969e2cb9127871f11852273c05 SHA-256: 09f00e386f70eb3cec9801e23db1c5e9a677f36c8240d6632d4ac85fac01bf47
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.me'. It also exhibits characteristics of a PDF link farm, with numerous external links, many hosted on Shopify. The ML classifier strongly flagged this PDF as malicious. The embedded URL in the document body, 'https://ttraff.me/pify?keyword=high+school+memories+cast', is the primary indicator of malicious intent, likely serving as a lure to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=high+school+memories+cast
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0462/9118/9920/files/85608895866.pdf
    • https://cdn.shopify.com/s/files/1/0435/5430/8245/files/fevimalabinaxaz.pdf
    • https://cdn.shopify.com/s/files/1/0429/0890/9734/files/kadosuvutituwinivosire.pdf
    • https://cdn.shopify.com/s/files/1/0428/5405/6095/files/gorillaz_gorillaz_zip_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/3898/9718/files/28452361872.pdf
    • https://cdn.shopify.com/s/files/1/0431/0741/8273/files/sowijebojez.pdf
    • https://cdn.shopify.com/s/files/1/0428/2010/8455/files/89260098253.pdf
    • https://cdn.shopify.com/s/files/1/0431/4847/6570/files/anthropology_optional_test_series.pdf
    • https://cdn.shopify.com/s/files/1/0432/2574/3523/files/moral_education_book_uae_grade_7_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/5193/3078/files/tevazewesonugabawikunu.pdf
    • https://cdn.shopify.com/s/files/1/0436/0624/5539/files/nikurafoniramiso.pdf
    • https://cdn.shopify.com/s/files/1/0432/3350/9534/files/47994973328.pdf
    • https://cdn.shopify.com/s/files/1/0437/8063/6833/files/30064850624.pdf
    • https://cdn.shopify.com/s/files/1/0435/2393/2311/files/meripomovegutosanufawije.pdf
    • https://cdn.shopify.com/s/files/1/0440/5487/2214/files/biladu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083ac.bin
5215af96ab38e1b02a5e2bf878a72608f6661feefe4a12715878e88d4203eda2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83AC 5176 bytes
font_01_sfnt_off0000951d.bin
2069aada9fd1d0c5bd1e646f069486efcdf58c28f7e5da1bd96ba1379d18c7c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x951D 10064 bytes
font_02_sfnt_off0000b16a.bin
3d6cac716d6c0ffcd3d46a62a6262f0cd813e3971f1e4a37bb74aac25af543fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB16A 10600 bytes
font_03_sfnt_off0000d5f7.bin
e296a61d2d303e35be9e1a35631556663d2780498efa7e8f3867bf557f172fe6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5F7 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.