Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c8a429e839d1463…

MALICIOUS

PDF

44.0 KB Created: 2020-08-06 13:55:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d9e39f15d85dd0308ad4b679a58ae99e SHA-1: 6d5849590dca85fd9979a0450935bf232f0d2f71 SHA-256: 1c8a429e839d146300be7c2951b971488c80ed7f100c0a3211826e5d54fe68bb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by a machine learning classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body and embedded artifacts reveal a large number of external links, many pointing to Shopify domains, but one specific URL, 'https://ttraff.com/pify?keyword=blurry+images+indesign+pdf', is identified as malicious. This suggests the PDF's primary purpose is to act as a link farm, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=blurry+images+indesign+pdf
    • http://files.nationaldancehonors.com/uploads/1/3/2/8/132815172/menipope-xifazi-kowugaxiragab.pdf
    • http://files.petemiller.com/uploads/1/3/2/7/132740951/1955477.pdf
    • http://files.ericmccarron.com/uploads/1/3/2/6/132680813/9233837.pdf
    • http://files.briccawards.com/uploads/1/3/1/4/131406344/pelin-juvomimurowebox-vumera-vazux.pdf
    • https://cdn.shopify.com/s/files/1/0434/1268/4967/files/golosa_student_activities_manual.pdf
    • https://cdn.shopify.com/s/files/1/0440/2230/0822/files/how_to_make_crack.pdf
    • https://cdn.shopify.com/s/files/1/0434/7510/7992/files/hdfc_life_progrowth_plus.pdf
    • https://cdn.shopify.com/s/files/1/0431/7963/8942/files/677358746.pdf
    • https://cdn.shopify.com/s/files/1/0428/6706/4991/files/nafopifediziwijatudin.pdf
    • https://cdn.shopify.com/s/files/1/0430/5816/7959/files/disedokebeladijik.pdf
    • https://cdn.shopify.com/s/files/1/0433/7362/5500/files/7945880299.pdf
    • https://cdn.shopify.com/s/files/1/0430/5272/8474/files/js_camelcase_to_kebab_case.pdf
    • https://cdn.shopify.com/s/files/1/0430/1537/2949/files/25039627364.pdf
    • https://cdn.shopify.com/s/files/1/0434/7274/8710/files/60005579414.pdf
    • https://cdn.shopify.com/s/files/1/0428/9468/8412/files/28_day_jumpstart.pdf
    • https://cdn.shopify.com/s/files/1/0440/8557/5832/files/application_letter_format_sample.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006005.bin
c644a207fc313ea607b63fdef4b983e3845229f7ad7d741f99e276c82eeb1244		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6005 5204 bytes
font_01_sfnt_off000071a0.bin
550fe47fbd857e808b0582234fd766a929fb3a78eac04ff0d5bc0bea276bc87a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71A0 10472 bytes
font_02_sfnt_off0000953b.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x953B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.