Malicious PDF — malware analysis report

Static analysis result for SHA-256 28968391a4ee304c…

MALICIOUS

PDF

140.0 KB Created: 2020-08-22 07:08:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 383dad4b5f904ea71f6a68eaca4ca0a3 SHA-1: bf4ba0534b60b27f8778aaa6a73e7efb7fca9648 SHA-256: 28968391a4ee304c1a7ed422f2edd12fca9ff402e23179afe93bf753bfcdf61d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is designed to lure users to malicious content. The document body, though heavily obfuscated, also contains this URL and numerous other links hosted on shopify.com and other domains, suggesting a link farm or redirection strategy. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9751

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=the+answer+to+everything+is+42+movie
    • http://files.pngonlinetrade.com/uploads/1/3/1/4/131483249/rojuvejupupiza.pdf
    • http://files.jamquest.org/uploads/1/3/1/4/131453861/4840432.pdf
    • http://files.whittaylorcomics.com/uploads/1/3/2/7/132740595/kevotamefakulus.pdf
    • http://files.strgir.com/uploads/1/3/0/8/130873868/4381992.pdf
    • http://files.mddedcelks.org/uploads/1/3/1/3/131383998/7162934.pdf
    • https://cdn.shopify.com/s/files/1/0441/0051/8040/files/90321634606.pdf
    • https://cdn.shopify.com/s/files/1/0428/0591/9903/files/rifuwofujivibine.pdf
    • https://cdn.shopify.com/s/files/1/0431/1243/1776/files/nupizolejafulugeni.pdf
    • https://cdn.shopify.com/s/files/1/0429/4829/6863/files/65712576962.pdf
    • https://cdn.shopify.com/s/files/1/0434/2536/6165/files/56753144579.pdf
    • https://cdn.shopify.com/s/files/1/0436/1561/7182/files/after_12th_science_courses_list_pcb.pdf
    • https://cdn.shopify.com/s/files/1/0433/7870/4549/files/chemistry_quiz_questions_and_answers_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/9105/7058/files/karoluxabed.pdf
    • https://cdn.shopify.com/s/files/1/0437/6264/7191/files/tuvelafe.pdf
    • https://cdn.shopify.com/s/files/1/0432/2813/5591/files/esab_pcm_875.pdf
    • https://cdn.shopify.com/s/files/1/0438/5121/9104/files/80828037491.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off0001797b.bin
004255bd3bd10f7fb9deef8c074156735f1d4b95e2564b931e6059fb921459a6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1797B 3204 bytes
font_00_sfnt_off000123f1.bin
0e099439fad9d82cab7fe652aa00060dd1135bc3bc3a9cb372ccb0b68d5d5473		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123F1 6744 bytes
font_01_sfnt_off00013b7c.bin
d8e600474693b79b2ec786b8383a12e2927870ede824b0e8bccbfec0c4b07361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B7C 5488 bytes
font_02_sfnt_off00014e1e.bin
1fd464739946460e833ade7eb0aa23b85dc4b12a492f056daa29606439ddb77d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14E1E 3792 bytes
font_03_sfnt_off00015c08.bin
e0079f09db5e3adb03f9f87f95add1711d4539799d988c8fe3aa7ab3b51b0831		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15C08 4892 bytes
font_04_sfnt_off00016bde.bin
71b71b3c95c396df86b74eda9d675472dd4ded91f59021c0ba2dd788bd645a1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16BDE 3600 bytes
font_06_sfnt_off0001865f.bin
3d802cc5995d55f536a17739b8feb7207f58781f341115108218652133911458		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1865F 5612 bytes
font_07_sfnt_off000199a6.bin
696cd7a76e16d9663ebac5964e2ac97592af2debc62c60b4c02a8bfd9aa268b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x199A6 2812 bytes
font_08_sfnt_off0001a5f9.bin
71f0ea6b182f67b27e6afd052ef602895c4138dd0e70c0f98b4e68aa9f7baf72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A5F9 6476 bytes
font_09_sfnt_off0001b738.bin
b3f9c0b155185fc3312e877320d6e1dbb584b1988883d96f79639da7ab2bc160		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B738 19508 bytes
font_10_sfnt_off0001efdd.bin
7a1c8c21cb24b13eef72d14a4a5d00de6ac8e936ec2de5c537315d57380e07d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EFDD 19624 bytes
font_11_sfnt_off00021107.bin
dfca31268cb36367e44c29d80ac6d57124a4a863b1deb62a7c217727ab33a636		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21107 3284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.