Malicious PDF — malware analysis report

Static analysis result for SHA-256 38ae5681cfd9235a…

MALICIOUS

PDF

37.5 KB Created: 2020-08-07 07:28:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c849f271e710f9b7fef9d1e44d0d6d0 SHA-1: ddbc5af812fabb4b21ab6d7d4350080717bf2828 SHA-256: 38ae5681cfd9235a1237216dc94aff141465b39daf42d049b5c45aededaf71f8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used to obscure the ultimate destination. The document body, though heavily obfuscated, contains the same redirector URL, suggesting it is the primary mechanism for delivering malicious content. The presence of many Shopify-hosted PDF links, some confirmed benign and others unknown, indicates an attempt to blend malicious links with seemingly legitimate ones.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=cutting+edge+pre+intermediate+third+edition+pdf+vk
    • http://files.rosesfloristbiloxi.com/uploads/1/3/2/7/132712451/juzejen.pdf
    • http://neliwaf.katytessman.com/uploads/1/3/0/7/130775350/2397d3735.pdf
    • http://files.gordoncentralperformingarts.org/uploads/1/3/0/7/130740530/zebuwepepujogit_nezujiguluxew_zetujexozonimex_wikudesa.pdf
    • https://cdn.shopify.com/s/files/1/0432/3550/8387/files/juxazozilo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/61047377128.pdf
    • https://cdn.shopify.com/s/files/1/0428/7240/6179/files/2643522648.pdf
    • https://cdn.shopify.com/s/files/1/0431/3156/8290/files/54642725226.pdf
    • https://cdn.shopify.com/s/files/1/0437/5799/4142/files/similar_triangles_word_problems.pdf
    • https://cdn.shopify.com/s/files/1/0433/4767/3253/files/xopejumarasepama.pdf
    • https://cdn.shopify.com/s/files/1/0432/1781/3661/files/maps_of_the_ninth_world.pdf
    • https://cdn.shopify.com/s/files/1/0431/7180/7391/files/xowigerigewavalabuwak.pdf
    • https://cdn.shopify.com/s/files/1/0437/0812/1242/files/64325875588.pdf
    • https://cdn.shopify.com/s/files/1/0432/4586/3067/files/jorosuruxusejizide.pdf
    • https://cdn.shopify.com/s/files/1/0430/4017/8333/files/wumideguterujubarawinid.pdf
    • https://cdn.shopify.com/s/files/1/0435/1531/4330/files/wepawonimasazejefoliva.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005452.bin
d25b6805256076046dc850ac7906bf9112cc9ab27f4d95ba8d262120704d4949		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5452 5272 bytes
font_01_sfnt_off00006621.bin
f2d27be4c7042193d16c6d1d85b5f53a7913971e6730ea71d7d74d61f5372bb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6621 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.