Malicious PDF — malware analysis report

Static analysis result for SHA-256 13e694fdf3dff59a…

MALICIOUS

PDF

41.4 KB Created: 2020-08-08 21:14:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 225fd9b0bb29deb0b74f9bb2663b152e SHA-1: a03091313e3b1c7d6e35a5d001d613d6c9729be9 SHA-256: 13e694fdf3dff59ab536b1900c56750543ce9018b8e0a8ef569f60513f15bb8a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded links, many of which point to external PDF files hosted on various domains, suggesting a link farm or SEO poisoning attempt. One critical heuristic identified a link to known malicious redirector infrastructure at 'ttraff.cc', which is likely the primary malicious payload delivery mechanism. The document body itself is heavily obfuscated but contains references to the textbook title and the malicious URL, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=brunner+and+suddarth+s+textbook+of+canadian+medical+surgical+nursing+pdf
    • http://fapat.npyouthcenter.org/uploads/1/3/1/8/131871980/ebbfc05e4a.pdf
    • http://gezozekes.garnerfarmfresh.com/uploads/1/3/0/9/130969060/dexik.pdf
    • http://fulexubap.chartwellprimarymaths.org.uk/uploads/1/3/0/8/130874329/xapim_fonujozusojok_juvakopijedo.pdf
    • http://files.steppingstonedaycare.nl/uploads/1/3/0/7/130776619/8020035.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/2630/0577/files/piviruwurire.pdf
    • https://cdn.shopify.com/s/files/1/0437/1123/4197/files/boxofitimi.pdf
    • https://cdn.shopify.com/s/files/1/0437/2309/6216/files/vesitisovivituvedeb.pdf
    • https://cdn.shopify.com/s/files/1/0431/3815/4653/files/69036216727.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vinujavezo.pdf
    • https://cdn.shopify.com/s/files/1/0432/0247/8237/files/75796566257.pdf
    • https://cdn.shopify.com/s/files/1/0430/6731/0231/files/33255411465.pdf
    • https://cdn.shopify.com/s/files/1/0432/0142/9662/files/34148224805.pdf
    • https://cdn.shopify.com/s/files/1/0431/3638/5175/files/97958639726.pdf
    • https://cdn.shopify.com/s/files/1/0430/0223/2983/files/9823991896.pdf
    • https://cdn.shopify.com/s/files/1/0437/7637/6983/files/sql_export_to_csv.pdf
    • https://cdn.shopify.com/s/files/1/0434/5911/7206/files/zejibunizusufutosutinev.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000621a.bin
9ef2b962ec6d8081bd4c85de9688d326dae240f1573fee24c657f25c048d978d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x621A 5892 bytes
font_01_sfnt_off00007605.bin
27920c3a0fe7cff852f9ac8911bc4e38c48077cb403560022509841b87d5c455		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7605 9932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.