Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c568fb8dd1bb26a…

MALICIOUS

PDF

73.3 KB Created: 2020-08-28 07:26:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f69f9b44aca1c230cb93d50be7f7bca1 SHA-1: 987bea5bfccc2ca7429870869af00165c814042f SHA-256: 2c568fb8dd1bb26a8563fcc043f815f9c7591a5d84c0df4b722893ae7a4e7bf0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.me'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy, likely for SEO manipulation or to obscure the malicious destination. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=out+of+the+crisis+edwards+deming+pdf
    • http://vafir.mmorrisld.com/uploads/1/3/1/4/131437689/mivitupij.pdf
    • http://files.villagegreenla.net/uploads/1/3/2/6/132681359/454706.pdf
    • http://fovazili.torontocycling.org/uploads/1/3/1/4/131438379/633f8aa027.pdf
    • http://fapumezij.centralwyomingkennelclub.org/uploads/1/3/1/4/131407377/jijomedipixirisutup.pdf
    • http://files.newyorkautoschool.com/uploads/1/3/1/8/131856713/nakegekidetamutemike.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nimapudusakodinufuzexive.pdf
    • https://cdn.shopify.com/s/files/1/0429/8375/1831/files/bagaboriladu.pdf
    • https://cdn.shopify.com/s/files/1/0439/0453/2648/files/52630057861.pdf
    • https://cdn.shopify.com/s/files/1/0447/1400/0538/files/north_conway_nh_foliage_report.pdf
    • https://cdn.shopify.com/s/files/1/0428/3275/6902/files/36418366723.pdf
    • https://cdn.shopify.com/s/files/1/0429/9105/9097/files/62130186102.pdf
    • https://cdn.shopify.com/s/files/1/0434/3834/2311/files/89627196202.pdf
    • https://cdn.shopify.com/s/files/1/0437/4682/0245/files/veera_gnaneswar_gude.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/lugapib.pdf
    • https://cdn.shopify.com/s/files/1/0427/8360/4903/files/96808575723.pdf
    • https://cdn.shopify.com/s/files/1/0435/1646/1211/files/spiderwick_chronicles_the_field_guide_epub.pdf
    • https://cdn.shopify.com/s/files/1/0443/8307/6518/files/cardiopatia_reumatica_fisiopatologia.pdf
    • https://cdn.shopify.com/s/files/1/0433/4934/4421/files/27774344665.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d219.bin
e5a2c02324aa03b71328f07242eb1b8ea507d1696eff02e95cb1ad3bd8b07aec		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD219 5540 bytes
font_01_sfnt_off0000e4e9.bin
fc2175d5f8947d175ae8d9348b6da7e8c5eb56c6be43ea4f99ff6ee05748e0c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4E9 10800 bytes
font_02_sfnt_off000109ac.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109AC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.