Malicious PDF — malware analysis report

Static analysis result for SHA-256 385afb9ec3c76092…

MALICIOUS

PDF

40.0 KB Created: 2020-08-15 02:30:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fa26f1102095c14f5b1acab0a8ef835d SHA-1: 7e5ccd2760f3a48ec83f5f7a26cf09cdda33d383 SHA-256: 385afb9ec3c76092eb4d3ecf92fee777b171068a052c03f645bf49c332050faf
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to `ttraff.com`. The document body, though heavily obfuscated, contains text related to 'Ms excel 2016 advanced tutorial pdf' and the malicious URL. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to benign Shopify files, but some lead to unknown domains that are likely part of the malicious infrastructure. The primary attack vector appears to be social engineering via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ms+excel+2016+advanced+tutorial+pdf
    • http://ruvedakeg.marinafernezir.com/uploads/1/3/0/7/130738885/7cd9ec.pdf
    • http://files.farmershelpers.com/uploads/1/3/1/6/131606011/6494922.pdf
    • http://files.hopefulromanticmovie.com/uploads/1/3/2/6/132682905/f860e5efaa.pdf
    • http://solel.lifeoutloudpodcast.com/uploads/1/3/1/3/131384226/nupobawin-rugel-wujagat-zomupedowip.pdf
    • http://files.nbhctoledo.com/uploads/1/3/1/4/131453698/6059569.pdf
    • https://cdn.shopify.com/s/files/1/0433/6071/4904/files/fizunebasubigotisarid.pdf
    • https://cdn.shopify.com/s/files/1/0433/2371/9845/files/5152310480.pdf
    • https://cdn.shopify.com/s/files/1/0438/1822/1730/files/awg_ampacity_table.pdf
    • https://cdn.shopify.com/s/files/1/0445/7473/6543/files/movimiento_ondulatorio_ejemplos.pdf
    • https://cdn.shopify.com/s/files/1/0446/6468/4697/files/cambridge_igcse_physics_workbook_2nd_edition_answers.pdf
    • https://cdn.shopify.com/s/files/1/0440/5090/7286/files/palen.pdf
    • https://cdn.shopify.com/s/files/1/0427/7446/2631/files/fojadufitovebejo.pdf
    • https://cdn.shopify.com/s/files/1/0441/1867/1512/files/introduction_to_aircraft_aeroelasticity_and_loads.pdf
    • https://cdn.shopify.com/s/files/1/0436/3472/0928/files/doorking_1812_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/2172/8918/files/94999997091.pdf
    • https://cdn.shopify.com/s/files/1/0437/9148/3042/files/77108191234.pdf
    • https://cdn.shopify.com/s/files/1/0436/4910/6080/files/55417948982.pdf
    • https://cdn.shopify.com/s/files/1/0433/7618/1398/files/the_zohar_secret.pdf
    • https://cdn.shopify.com/s/files/1/0440/8344/5925/files/weather_forecast_lewiston_maine.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0433/7618/1398/files/the_zohar_secr

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d8b.bin
b149a9dc7d79d0d04a489ff1427e3fb3c631f6ab096a4e14914fd4847fc4a614		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D8B 5764 bytes
font_01_sfnt_off0000714c.bin
997e8206cb8379fa17b4064e14404c80f3f86585eecf714c50694cd4220de66c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x714C 9812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.