Malicious PDF — malware analysis report

Static analysis result for SHA-256 27715ed51f709491…

MALICIOUS

PDF

49.9 KB Created: 2020-07-30 17:09:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f603031e48aa0009b2225c918e158e5b SHA-1: b02ec08e08e79fc41844141f3623c947d95274e3 SHA-256: 27715ed51f7094911082a31e11c424b22a7714f229e5c8e0e6dfa3037f421ee8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, disguised as a study guide. The document body, though heavily obfuscated, contains text related to 'quantitative aptitude for bank exams pdf', reinforcing the lure. The PDF also hosts a large number of external links, many pointing to Shopify domains, likely for SEO manipulation to increase visibility. No scripts were extracted, but the primary malicious activity is the redirection to a harmful URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=tricks+to+solve+quantitative+aptitude+for+bank+exams+pdf
    • http://files.stepupprojectsouthafrica.org/uploads/1/3/0/9/130968933/691bdd41220b10.pdf
    • http://files.tigerteammarketing.com/uploads/1/3/1/3/131383889/wuzapovojabujufugu.pdf
    • http://files.caribbeandreamsconcert.com/uploads/1/3/0/7/130775719/3039226.pdf
    • http://files.bridgetutorial.net/uploads/1/3/1/3/131380445/tarevusijojapob.pdf
    • http://files.bridgetutorial.net/uploads/1/3/1/3/131380445/ta
    • https://cdn.shopify.com/s/files/1/0428/9455/7347/files/89955597638.pdf
    • https://cdn.shopify.com/s/files/1/0435/8461/8653/files/52607772199.pdf
    • https://cdn.shopify.com/s/files/1/0428/5041/8847/files/refikasatuvidugarupudobof.pdf
    • https://cdn.shopify.com/s/files/1/0431/2177/0656/files/dotivomanuja.pdf
    • https://cdn.shopify.com/s/files/1/0433/1785/4373/files/34281002695.pdf
    • https://cdn.shopify.com/s/files/1/0439/8543/6830/files/90870504893.pdf
    • https://cdn.shopify.com/s/files/1/0431/5932/2773/files/josededu.pdf
    • https://cdn.shopify.com/s/files/1/0429/5429/3402/files/4699599230.pdf
    • https://cdn.shopify.com/s/files/1/0430/4361/8965/files/70301576229.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/nukugekawisezunafifetopox.pdf
    • https://cdn.shopify.com/s/files/1/0429/9869/4042/files/67282889677.pdf
    • https://cdn.shopify.com/s/files/1/0431/8897/7813/files/vizodotefamokole.pdf
    • https://cdn.shopify.com/s/files/1/0433/4351/1706/files/werapesitifite.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008491.bin
d5eede6bf28443703151109735caf3d3070e53539745c87b958e3eeee8cc2cc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8491 5588 bytes
font_01_sfnt_off0000977b.bin
0863f3cc0096e698ff8ec67b1d5b2aa7b873ac6c19704f0665f25dc2ca074ddf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x977B 10212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.