Malicious PDF — malware analysis report

Static analysis result for SHA-256 226262d2ef683167…

MALICIOUS

PDF

54.4 KB Created: 2020-07-14 04:30:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2fff24c90ab0fd6c96a264ed22b8c9b4 SHA-1: 706f5e3a05010beefe0a66a7335daf42911aa36f SHA-256: 226262d2ef6831676e265236957c37b9b94c4895ca32a18003706c92cfcd2aa0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a known malicious redirector (ttraff.com). The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this, and PDF_SEO_LINK_FARM indicates a mass link farm strategy. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern involves tricking users into clicking these links, which likely lead to further malicious content or exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=java%209%20modularity%20pdf
    • http://files.harvestbibleaz.org/uploads/1/3/1/4/131438002/wijozadadaru_jevidum_vijadij.pdf
    • http://files.witneyhypnotherapy.co.uk/uploads/1/3/1/4/131437225/27045.pdf
    • http://files.mindfulmomentsbook.com/uploads/1/3/1/8/131871467/6b26e57fea4.pdf
    • http://files.aaronlstrong.com/uploads/1/3/1/3/131382239/suravuruluwak_dabutusod_wewiwojewerezup.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jujirufevob.pdf
    • https://cdn.shopify.com/s/files/1/0433/9548/1750/files/19899239199.pdf
    • https://cdn.shopify.com/s/files/1/0433/5144/1560/files/vitali.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/48880371243.pdf
    • https://cdn.shopify.com/s/files/1/0431/3061/8011/files/5729641345.pdf
    • https://vawopiwu.files.wordpress.com/2020/07/34826573037.pdf
    • https://vuxidugose.files.wordpress.com/2020/07/zorejovonanaxuvuboforap.pdf
    • https://bunorojone.files.wordpress.com/2020/06/96210346126.pdf
    • https://dugiwelo.files.wordpress.com/2020/06/mabeki.pdf
    • https://cdn.shopify.com/s/files/1/0429/3446/8774/files/97474099240.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jamitaribigonekadori.pdf
    • https://cdn.shopify.com/s/files/1/0434/0416/5285/files/ximovuguditigogevabex.pdf
    • https://cdn.shopify.com/s/files/1/0431/5014/7745/files/93856694965.pdf
    • https://cdn.shopify.com/s/files/1/0433/6192/7318/files/91148912695.pdf
    • https://cdn.shopify.com/s/files/1/0431/6309/1112/files/midagesaxowo.pdf
    • https://cdn.shopify.com/s/files/1/0427/4746/1788/files/5628532592.pdf
    • https://cdn.shopify.com/s/files/1/0427/9477/8791/files/sodizabi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000979f.bin
a31ddb43a715e53c84ad4bcf1f8a2f81f9ace7e725252c4d0c3e13765a8b7516		 pdf-font-stream PDF embedded font (sfnt) at offset 0x979F 4972 bytes
font_01_sfnt_off0000a898.bin
25b52ca379744de81ae8bef610def2642ef69200fb483a8ec26d62f09bf9d656		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA898 10392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.