Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ffbf42aa0baa664…

MALICIOUS

PDF

53.7 KB Created: 2020-08-28 09:11:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1ac3ba6ff9b290f05369c508b92a09a0 SHA-1: b2c06804b900306ec4a2cfa3ad05dd5241e97118 SHA-256: 0ffbf42aa0baa664cd96769bbcf007ff4046c1a97d0b2ab4be2fa4aed71620cc
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=ma-+config.+com+start+the+detection'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on Shopify. The ML classifier strongly indicates maliciousness. While no scripts were explicitly extracted, the presence of embedded URLs and the redirector strongly suggest an intent to lure the user to a malicious site, likely for phishing or to download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ma-+config.+com+start+the+detection
    • http://jovenozi.seniorukeensemble.com/uploads/1/3/2/7/132740309/fumupaneri_fevonabedulojik.pdf
    • http://kizik.stocktontreepros.com/uploads/1/3/2/7/132740249/22f1360bb66.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0450/5626/2307/files/44734613959.pdf
    • https://cdn.shopify.com/s/files/1/0433/7218/3703/files/xogiredav.pdf
    • https://cdn.shopify.com/s/files/1/0431/4251/2797/files/6525320138.pdf
    • https://cdn.shopify.com/s/files/1/0435/9097/5647/files/tipos_de_caries_en_nios.pdf
    • https://cdn.shopify.com/s/files/1/0431/7619/8305/files/wivobafirele.pdf
    • https://cdn.shopify.com/s/files/1/0431/1610/1781/files/63070334400.pdf
    • https://cdn.shopify.com/s/files/1/0431/5208/1053/files/2742481113.pdf
    • https://cdn.shopify.com/s/files/1/0438/2290/7554/files/97107830810.pdf
    • https://cdn.shopify.com/s/files/1/0433/2929/0390/files/toxotolexon.pdf
    • https://cdn.shopify.com/s/files/1/0431/6240/2967/files/69927385505.pdf
    • https://cdn.shopify.com/s/files/1/0432/2331/8683/files/esc_acute_coronary_syndrome.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00009b54.bin
075af16e663d938b4dbe9ab88a068b2c591a1c142b7321535ced99b5ff390fea		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9B54 25852 bytes
font_00_sfnt_off000064f5.bin
8716b93b9decb59cb1d4b88c288e0baedc4fa69439ba21bf3118f86f2250fbac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64F5 5472 bytes
font_01_sfnt_off0000776c.bin
ad8d8716f8090d38caa25a13108e59bb9824f514d24b067bdeba712a1b00569e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x776C 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.