Malicious PDF — malware analysis report

Static analysis result for SHA-256 38e5aa079fdc01f7…

MALICIOUS

PDF

44.2 KB Created: 2020-08-14 11:06:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a38162061958a21376b0e9640ca87f1 SHA-1: 56424e7622a1fdb34f4a1d8b1b7605465e63ae32 SHA-256: 38e5aa079fdc01f791d00c3752d9219e92037b49836a3d7b360b5d2f68d7e047
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-Override

The PDF file was flagged as malicious by a machine learning classifier and contains numerous embedded links. A critical heuristic identified these links as pointing to a known malicious redirector infrastructure via ttraff.com. Another critical heuristic indicates the PDF hosts a link farm, with many links pointing to Shopify domains, likely for SEO manipulation or to obscure the final malicious destination. No scripts were extracted, and the document body is heavily obfuscated, but the presence of the malicious redirector URL is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=aho+ni+aho+song
    • http://files.tomfosterclippers.com/uploads/1/3/0/7/130740465/792585.pdf
    • http://lepov.spokanewatercolor.org/uploads/1/3/0/9/130969432/rifiwejop_xixina_tavidelakebit_texunewa.pdf
    • http://files.frostedfarmsnc.com/uploads/1/3/0/7/130776218/gironivud_vizemel_jupuzojifun_dugano.pdf
    • https://cdn.shopify.com/s/files/1/0431/2426/1018/files/fosenuvinekagaxu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0638/5558/files/70622166245.pdf
    • https://cdn.shopify.com/s/files/1/0432/2679/2093/files/gijofotonewojiginopibixu.pdf
    • https://cdn.shopify.com/s/files/1/0436/9242/5384/files/moms_in_control.pdf
    • https://cdn.shopify.com/s/files/1/0435/0020/8294/files/add_text_to_free_windows.pdf
    • https://cdn.shopify.com/s/files/1/0434/9162/3077/files/34726945336.pdf
    • https://cdn.shopify.com/s/files/1/0430/5282/6773/files/90083055841.pdf
    • https://cdn.shopify.com/s/files/1/0440/4799/0934/files/19098864052.pdf
    • https://cdn.shopify.com/s/files/1/0432/8803/5486/files/sobosarob.pdf
    • https://cdn.shopify.com/s/files/1/0429/3489/4755/files/nufumudezavuwebef.pdf
    • https://cdn.shopify.com/s/files/1/0435/9772/5864/files/16133635458.pdf
    • https://cdn.shopify.com/s/files/1/0432/2990/5058/files/91722421362.pdf
    • https://cdn.shopify.com/s/files/1/0429/6887/5157/files/kitupuzasufujimasor.pdf
    • https://cdn.shopify.com/s/files/1/0431/5843/8039/files/55007738458.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000506d.bin
988e1c1b635662444482d38623e9fc6bb1285b9450474c2766a1bd0ff21f4dfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x506D 4808 bytes
font_01_sfnt_off000060c4.bin
eb556c990386ac75b005cdc7f04377ed7e8d961abbecde58ee6fa9427d8ef00e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60C4 14792 bytes
font_02_sfnt_off00008f01.bin
c988415812f594187b0a0ed75dc52802e798e1695b49bd300f8412a65040a449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F01 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.