Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d1cf8774f592276…

MALICIOUS

PDF

73.4 KB Created: 2020-08-30 20:53:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e060e43b8758b1f1df954e5b6180e93d SHA-1: 8dcc879947d6f7ef0a1711d076495d9521d62ddf SHA-256: 2d1cf8774f59227626ba3aeab1295ac4a4640116071c97f362090b0c9346f303
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'meditation and kabbalah' and the malicious URL, suggesting a lure to a phishing or malware distribution site. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, and the primary malicious activity appears to be the redirection to the ttraff.com domain.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=aryeh+kaplan+meditation+and+kabbalah
    • https://static.usrfiles.com/ugd/b8c837_55766d608c5141be8a9b6785fb8ad384.pdf
    • https://static.usrfiles.com/ugd/b8c837_8fa55fd9c92a4cde8dddfc539b5e5b1c.pdf
    • https://static.usrfiles.com/ugd/b3bc21_72515334235548caa6798b9bea3d3e8b.pdf
    • https://static.usrfiles.com/ugd/2ca09c_cf8647c005c44f70bbf6f2d25aa139bd.pdf
    • https://static.usrfiles.com/ugd/b8c837_441e3a808b99455dab9bd83af84f3a4f.pdf
    • https://static.usrfiles.com/ugd/77941b_e55a542c69d2445bbdd9eb588faa7826.pdf
    • https://cdn.shopify.com/s/files/1/0430/3123/2674/files/metiwirezisajasosuvoxemu.pdf
    • https://cdn.shopify.com/s/files/1/0440/5461/0070/files/aplasia_medular_causas.pdf
    • https://cdn.shopify.com/s/files/1/0435/9746/3714/files/mawokizimusizufikuzame.pdf
    • https://cdn.shopify.com/s/files/1/0437/2611/0885/files/20723461605.pdf
    • https://cdn.shopify.com/s/files/1/0429/1539/7788/files/39385233644.pdf
    • https://cdn.shopify.com/s/files/1/0430/2589/1479/files/list_of_world_countries_and_their_capitals.pdf
    • https://cdn.shopify.com/s/files/1/0451/5692/5594/files/biochemistry_for_nursing.pdf
    • https://cdn.shopify.com/s/files/1/0433/0972/7912/files/fifa_16_free_packs.pdf
    • https://cdn.shopify.com/s/files/1/0437/6671/0433/files/lefujulefiratemofu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ca02.bin
ba37762f708db8e3601a604f1aa30f364b01c81a11825101047bf8510fe8b819		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA02 5316 bytes
font_01_sfnt_off0000dbeb.bin
2f6aa0a36d5a2fe10a86d1eabd2607333b6f31de7ad2525a16effb39aa303c90		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDBEB 11284 bytes
font_02_sfnt_off00010253.bin
d624bb4fba39b905590b858034b3fce346a20e934e67432a9bc56bc86adc124d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10253 16452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.