Malicious PDF — malware analysis report

Static analysis result for SHA-256 201ddb7ecf3ee8b8…

MALICIOUS

PDF

61.5 KB Created: 2020-08-25 18:13:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f99fa7cfe685c66c9c02df4db64819f0 SHA-1: ed8e024c9888daa6e82190712116f6a50973403f SHA-256: 201ddb7ecf3ee8b8a1e7d167dcc695de295dc14e582559ae308dab3df5db220a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, many hosted on cdn.shopify.com. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the malicious URL, suggesting an attempt to lure the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=gentle+path+through+the+12+steps
    • http://files.golawnservice.com/uploads/1/3/2/8/132815008/6e8e5457dd39b9.pdf
    • http://files.huckleberryridgefurniture.com/uploads/1/3/1/4/131407080/sokeni.pdf
    • http://rovidez.questsr.com/uploads/1/3/1/6/131637836/zipakamarovikena.pdf
    • https://cdn.shopify.com/s/files/1/0435/3461/4688/files/nojoguzotow.pdf
    • https://cdn.shopify.com/s/files/1/0433/5504/6037/files/16192394229.pdf
    • https://cdn.shopify.com/s/files/1/0430/5590/6967/files/cheat_engine_6._1.pdf
    • https://cdn.shopify.com/s/files/1/0432/2410/5124/files/414996877.pdf
    • https://cdn.shopify.com/s/files/1/0436/5503/7093/files/68400117974.pdf
    • https://cdn.shopify.com/s/files/1/0437/1405/2247/files/the_escapists_in_minecraft.pdf
    • https://cdn.shopify.com/s/files/1/0435/8494/6333/files/suzazal.pdf
    • https://cdn.shopify.com/s/files/1/0431/0410/8711/files/the_holy_bible_niv_download_free.pdf
    • https://cdn.shopify.com/s/files/1/0439/0250/1016/files/abscesos_cutaneos_tratamiento.pdf
    • https://cdn.shopify.com/s/files/1/0439/3956/1630/files/logic_gate_project.pdf
    • https://cdn.shopify.com/s/files/1/0434/6360/6429/files/cefr_english_placement_test.pdf
    • https://cdn.shopify.com/s/files/1/0428/3020/0991/files/arduino_ide_programming.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000090f0.bin
d19673464b1c0d955e69794283182fae53cc2a896c3d815f5449d558f1fe8b05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90F0 5296 bytes
font_01_sfnt_off0000a2f6.bin
1a9a1907bcf3fe9da7388769f308d14446ca29156511348b743fac276d0f0bff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2F6 15500 bytes
font_02_sfnt_off0000d381.bin
5054759e749bb734e938049909294a60eaad07ab0164109f83ab043c3dba66fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD381 16184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.