Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ada51e6ee0122ea…

MALICIOUS

PDF

64.4 KB Created: 2020-08-11 03:26:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fce803d23cc00e86cae15f8318b9d28f SHA-1: 3cb47e1eb0652dfc15b9469e16d6ef1ae186b96a SHA-256: 0ada51e6ee0122eaadcde6c152f3d59c638c89db8f656f1d84bfae1f21a6ded4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one specifically identified as a malicious redirector pointing to 'ttraff.com'. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to trick users into clicking it. The presence of many links to external PDFs, including benign ones on Shopify, indicates a link farm strategy, likely to improve SEO for malicious content or to obscure the primary malicious link. No scripts were extracted, but the PDF structure and embedded links strongly suggest a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=public+speaking+pdf+noun
    • http://dalifima.paulgoldberg.com/uploads/1/3/1/3/131398097/jutoxi.pdf
    • http://files.sebastian.boundlessgym.com/uploads/1/3/1/3/131384636/xokawizuge_fojodimefe_pimudaporipus_vuvagidupobi.pdf
    • http://gopotoma.veggieandlovingit.com/uploads/1/3/1/3/131380042/0f7d38c6032a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0434/7507/5225/files/acca_f6_finance_act_2020.pdf
    • https://cdn.shopify.com/s/files/1/0453/8272/9896/files/30_squat_challenge.pdf
    • https://cdn.shopify.com/s/files/1/0434/9899/5864/files/suzezebuxogupumasuj.pdf
    • https://cdn.shopify.com/s/files/1/0440/6640/6552/files/70333787239.pdf
    • https://cdn.shopify.com/s/files/1/0434/6052/6246/files/uniden_atlantis_250.pdf
    • https://cdn.shopify.com/s/files/1/0428/9105/1161/files/bupugepesosurokugodadi.pdf
    • https://cdn.shopify.com/s/files/1/0433/9544/8997/files/68343760605.pdf
    • https://cdn.shopify.com/s/files/1/0432/2417/0664/files/wonujebafupu.pdf
    • https://cdn.shopify.com/s/files/1/0431/1629/8393/files/ornamental_horticulture_notes.pdf
    • https://cdn.shopify.com/s/files/1/0430/5226/9717/files/limebiwixebixozupevero.pdf
    • https://cdn.shopify.com/s/files/1/0440/2449/6286/files/70819254378.pdf
    • https://cdn.shopify.com/s/files/1/0435/0532/0088/files/snow_white_hiho.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005eb4.bin
05f72db7a2e3f0e2ca0f75416f55d8b143e9f9a04383d389c2a5d37ebe4b6ec0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EB4 4856 bytes
font_01_sfnt_off00006fc0.bin
e2b311453984d4480789adda7d2f546a5943a6d283d825eddb34f4954704acf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FC0 5432 bytes
font_02_sfnt_off0000823b.bin
dbdbdc9f000217ac18e836b74a31e6a88ff54d79b16171f81de81c8abed4e4fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x823B 3092 bytes
font_03_sfnt_off00008e8b.bin
23450c80a4122e48588afd0466a210d510980759f57adc57c9dea1e23da460dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E8B 5168 bytes
font_04_sfnt_off00009f34.bin
aa072b2774d99fa86ca32d9bb4c3ea3b84bfea2d2d12fc5bfe118d2d5ed1b075		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F34 14892 bytes
font_05_sfnt_off0000cb21.bin
d3697c2b737e05e18f104658fad9144f50a930b4833ff900da541ee5e2b266c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB21 16688 bytes
font_06_sfnt_off0000e298.bin
a04de8a31369dc725d107c470775cff52ce94f0b23548a3964b72d5bedf5531a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE298 3620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.