Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b0379667972455d…

MALICIOUS

PDF

48.4 KB Created: 2020-09-07 07:39:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d5ebe68978fb8d5dedb7c141e9e21462 SHA-1: 3cc10f7809dc4770dae82c270d62d4f5f316934e SHA-256: 2b0379667972455d71c4dcdaaa36e0bde0c43174063f304c3608c6f38b53188c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.club, which is likely intended to lead the user to a malicious download or phishing page. The document body text and embedded URLs also point to this malicious domain, reinforcing the lure of downloading an 'apk mod'. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous embedded links, many pointing to Shopify, suggests a link farm or redirection strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=forest+stay+focused+apk+mod
    • https://cdn.shopify.com/s/files/1/0429/8457/1031/files/milanilevukijulefu.pdf
    • https://cdn.shopify.com/s/files/1/0431/0558/3266/files/diagnostic_interview_for_personality_disorders.pdf
    • https://cdn.shopify.com/s/files/1/0434/9699/7030/files/today_current_weather_report_in_chennai.pdf
    • https://cdn.shopify.com/s/files/1/0440/6345/7432/files/nasodisodoxumoki.pdf
    • https://cdn.shopify.com/s/files/1/0434/5564/3813/files/tupowekavoge.pdf
    • https://static.usrfiles.com/ugd/9c43ec_a417af6fb1704fd8a25e60d250d1d3bf.pdf
    • https://static.usrfiles.com/ugd/c618e9_bfc78e00ceb14ff7a1e8e195f3c1adef.pdf
    • https://static.usrfiles.com/ugd/c63dba_1980f601508f46adb76bf88d8032f045.pdf
    • https://static.usrfiles.com/ugd/738632_a7fd896a7f2b4804bfe981c102f4fbcb.pdf
    • https://static.usrfiles.com/ugd/b8c837_8b02eeaa05704768a4dc0be4137c9f2e.pdf
    • https://cdn.shopify.com/s/files/1/0437/1431/4405/files/composition_of_transformations_worksheet_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0438/4689/3730/files/74751843368.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e63.bin
69fc0b0e4e19105a9a592045e240562d1dbe5e391d5c41e6cfb4d185282af50e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E63 5116 bytes
font_01_sfnt_off00006fe1.bin
5415f68e4b37a96f68a79310e05a1e77f8cec88f53f427273d5ea635b822f466		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FE1 9696 bytes
font_02_sfnt_off0000914b.bin
e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848		 pdf-font-stream PDF embedded font (sfnt) at offset 0x914B 16092 bytes
font_03_sfnt_off0000a613.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA613 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.