Malicious PDF — malware analysis report

Static analysis result for SHA-256 26aeda78ba6a8457…

MALICIOUS

PDF

66.7 KB Created: 2020-08-14 10:42:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3a203a3acfaad744cabc493e5aeebaea SHA-1: 7772d4b4f27910ff3072b02b3a6b025a6fa8bfa8 SHA-256: 26aeda78ba6a8457e4121611672ec90a661ea5c15256e69dd8f572e994461028
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many hosted on cdn.shopify.com. The ML classifier also strongly indicated maliciousness. The embedded URL in the document body, 'https://ttraff.com/pify?keyword=information+age+artifacts', is the primary indicator of malicious intent, likely serving as a lure or part of a larger SEO manipulation scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=information+age+artifacts
    • http://muloxi.essentialbeingcoaching.com/uploads/1/3/1/6/131606289/jeguni-dapudeme-xafokevidep.pdf
    • http://files.fwgrace.org/uploads/1/3/0/8/130813934/1108716.pdf
    • http://wivuwe.haircrafthelensburgh.com/uploads/1/3/0/7/130739693/xudajoxod.pdf
    • http://zugemune.cocrimeanalysis.org/uploads/1/3/0/8/130814526/4667793.pdf
    • http://files.dwellwithchrist.com/uploads/1/3/2/7/132740838/1490824.pdf
    • https://cdn.shopify.com/s/files/1/0429/1565/9942/files/matrices_worksheet_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0430/8749/5321/files/dadositixupaso.pdf
    • https://cdn.shopify.com/s/files/1/0435/8501/1871/files/outlast_2_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0429/0566/5703/files/vomugesaruribajoxa.pdf
    • https://cdn.shopify.com/s/files/1/0434/4276/5976/files/luvupiwadematogunixe.pdf
    • https://cdn.shopify.com/s/files/1/0431/3628/6877/files/fixokokamidofupix.pdf
    • https://cdn.shopify.com/s/files/1/0429/3178/1791/files/best_job_application_letter_format.pdf
    • https://cdn.shopify.com/s/files/1/0432/4311/0555/files/seginidok.pdf
    • https://cdn.shopify.com/s/files/1/0433/4904/9499/files/51422380962.pdf
    • https://cdn.shopify.com/s/files/1/0430/9647/3749/files/developpement_local_et_amenagement_du_territoire.pdf
    • https://cdn.shopify.com/s/files/1/0431/5509/5712/files/nudefuna.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c7c3.bin
51d1785f97522ae67ec8f0fcfd6af266782fe28727ffcb3363aabc0a1a506c10		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC7C3 5104 bytes
font_01_sfnt_off0000d905.bin
efc7b8b348d6de1c9fdcca6fd33dc378dd6daf059272b07bbae4926452f70822		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD905 10740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.