Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c3d4b1a4512019f…

MALICIOUS

PDF

67.2 KB Created: 2020-08-13 02:31:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21305e3609265fb0d58285112aff6223 SHA-1: 6b3180755c6b45bbdd6c83791996602e408ed04e SHA-256: 1c3d4b1a4512019f2620e0d4720a8ca7daba58ca2a8a48435050c9c4e6020237
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains numerous embedded links, many pointing to external PDF files hosted on Shopify, suggesting a link farm for SEO manipulation or traffic redirection. One critical heuristic identified a link to a known malicious redirector, 'ttraff.com', which is also present in the document body. This indicates the primary purpose is to redirect the user to malicious infrastructure. No scripts were extracted, limiting the analysis of direct payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=calendario+serie+b+2020+20+pdf
    • http://fabagif.harrypottervet.com/uploads/1/3/1/4/131482975/bda37e4.pdf
    • http://jodebaf.freereformedchurchlangley.org/uploads/1/3/1/4/131438405/4ba13bbc26.pdf
    • http://files.templerestored.org/uploads/1/3/0/9/130969169/d3a009d.pdf
    • http://files.grizzlecoastalconsulting.com/uploads/1/3/0/7/130738615/9bb9c175ac0c.pdf
    • http://javijig.xmmphoto.com/uploads/1/3/0/7/130775971/40f7cc6aef17a.pdf
    • https://cdn.shopify.com/s/files/1/0430/1353/7951/files/dmv_written_test_nj.pdf
    • https://cdn.shopify.com/s/files/1/0428/7689/5398/files/kigekatetexuwodibax.pdf
    • https://cdn.shopify.com/s/files/1/0428/8105/6935/files/jetal.pdf
    • https://cdn.shopify.com/s/files/1/0434/1055/5047/files/palapazixizo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9550/7622/files/amines_class_12_ncert_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/6827/7404/files/vitirirari.pdf
    • https://cdn.shopify.com/s/files/1/0430/7232/3737/files/kesen.pdf
    • https://cdn.shopify.com/s/files/1/0433/6710/4664/files/22639665385.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/fusuzirosaf.pdf
    • https://cdn.shopify.com/s/files/1/0430/2585/8714/files/49277130652.pdf
    • https://cdn.shopify.com/s/files/1/0435/7737/6936/files/71597423159.pdf
    • https://cdn.shopify.com/s/files/1/0433/4492/0734/files/69415218555.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000097cc.bin
c67d79a82093ad5e3005610038bc02634e5c3d0ce45f6324d1197ea11b24298f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97CC 5180 bytes
font_01_sfnt_off0000a964.bin
b9e525712e1ac343df2e720324cc7da363326813c72aaaa4175f8b26f7ee02a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA964 16408 bytes
font_02_sfnt_off0000dadd.bin
e9cf687b76f137aec67d68831f9d11b8b042d8608c48378d8b0ece48f167d107		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDADD 16064 bytes
font_03_sfnt_off0000ef7d.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF7D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.