Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d680405cbda22aa…

MALICIOUS

PDF

64.6 KB Created: 2020-09-01 02:55:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2f021a8bd8fadcc5c5dcd5cf607ff34a SHA-1: 8f27a5379978880393c72d501e8563bb169268fb SHA-256: 1d680405cbda22aab84e1f59686f57c290f8d11666e45762eebc1d3e27a9ddc2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged as malicious due to a critical heuristic identifying it as a redirector link to known malicious infrastructure. Additionally, another critical heuristic detected a PDF link farm, suggesting a coordinated effort to distribute malicious content. The embedded URL, https://ttraff.com/pify?keyword=broadsheet+newspaper+english+language, is the primary indicator of this malicious activity. While no scripts were extracted, the structure and heuristics strongly suggest a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=broadsheet+newspaper+english+language
    • https://static.usrfiles.com/ugd/01bc73_1b10f987791d402fa20237210ce1c94f.pdf
    • https://static.usrfiles.com/ugd/77d535_b18609cf4de24430aa68d65809314cf2.pdf
    • https://static.usrfiles.com/ugd/fafc38_a0de38b5543d4920b3c234894ec9e83a.pdf
    • https://static.usrfiles.com/ugd/b8c837_dad603711759498baecad27aba6bcb64.pdf
    • https://cdn.shopify.com/s/files/1/0433/8640/5022/files/3rd_class_english_grammar_book.pdf
    • https://cdn.shopify.com/s/files/1/0463/5050/0002/files/sokolijiwofepi.pdf
    • https://cdn.shopify.com/s/files/1/0433/7503/4524/files/kumebetu.pdf
    • https://cdn.shopify.com/s/files/1/0438/5302/1334/files/ucweb_handler_apk.pdf
    • https://cdn.shopify.com/s/files/1/0439/4044/6366/files/mother_son_porn_comic.pdf
    • https://cdn.shopify.com/s/files/1/0463/5050/0002/files/dasapagenevojujazefevesus.pdf
    • https://cdn.shopify.com/s/files/1/0430/9116/5333/files/12082562968.pdf
    • https://cdn.shopify.com/s/files/1/0432/2007/4663/files/jolij.pdf
    • https://cdn.shopify.com/s/files/1/0431/7868/8674/files/bangladesh_budget_2020_19_summary.pdf
    • https://cdn.shopify.com/s/files/1/0435/9503/8877/files/93620215113.pdf
    • https://static.usrfiles.com/ugd/b8c837_f38c6d18cbfc423eaaa343fc136c2e15.pdf
    • https://static.usrfiles.com/ugd/0d002d_51029843e7904159bb5db26fb2745827.pdf
    • https://static.usrfiles.com/ugd/b8c837_bd83b711650c46d0ace2eb252c52e830.pdf
    • https://static.usrfiles.com/ugd/9904c2_2997206609914641b4151728a170c841.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008c0c.bin
9cd1ba44ed0dc8838f7368a4a26c3144e8581f39837b8bace04cafb53ca7dbc1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C0C 7072 bytes
font_01_sfnt_off0000a414.bin
37c4b89979eb372cc2049725c35f7a3f5f54b04e2be2e144fdfc4d0c5a37b523		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA414 5360 bytes
font_02_sfnt_off0000b653.bin
5e1be9a507c7efd15074092e18e09e31edc977dfcdce092b7d7c48eed76e7132		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB653 6968 bytes
font_03_sfnt_off0000c8f5.bin
b7ddfc702c797856a450997cdf79776a20ba5bebd0f616783f32d8c017971aab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC8F5 13532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.