Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a69219ca8856981…

MALICIOUS

PDF

114.3 KB Created: 2020-08-08 02:11:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fd9ac75a6ec38e412b705c46ed417b2f SHA-1: 29c18cf11636a3c91b41c6c98ed2b51223adf0a2 SHA-256: 3a69219ca885698131f0d27b13f91e0f90af787916a50ff1957718f6b9ffc760
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised with a keyword related to ancient Egyptian temples. This indicates a social engineering lure to direct the user to malicious content. The ML classifier also strongly flagged this PDF as malicious. The presence of numerous external links, many pointing to shopify.com, suggests a link farm or SEO manipulation tactic to obscure the true malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ancient+egyptian+temples+pdf
    • http://vesupiwuf.epixcme.com/uploads/1/3/0/8/130874284/nesoxox-lupot.pdf
    • http://lokan.manhattanhope.com/uploads/1/3/2/3/132303410/8995853.pdf
    • http://files.medic-rescue.co.uk/uploads/1/3/2/7/132712334/kuzube_jetujawowefusi_gexineretuf_gizaz.pdf
    • http://files.whitegallowaysofwayby.com/uploads/1/3/0/8/130873907/fewubogukobavel-sixomolimu-mifip.pdf
    • https://cdn.shopify.com/s/files/1/0433/9456/4252/files/53424032731.pdf
    • https://cdn.shopify.com/s/files/1/0452/3737/1037/files/shackled_city_3._5.pdf
    • https://cdn.shopify.com/s/files/1/0455/6003/7541/files/fhp_synchronous_motor.pdf
    • https://cdn.shopify.com/s/files/1/0434/0252/6887/files/aviation_security_mcqs.pdf
    • https://cdn.shopify.com/s/files/1/0429/8702/8641/files/86288220417.pdf
    • https://cdn.shopify.com/s/files/1/0432/0421/4942/files/73532108737.pdf
    • https://cdn.shopify.com/s/files/1/0438/3545/7696/files/sammamish_wa_weather.pdf
    • https://cdn.shopify.com/s/files/1/0427/9864/5404/files/dale_carnegie_golden_book.pdf
    • https://cdn.shopify.com/s/files/1/0431/9258/2293/files/88447265650.pdf
    • https://cdn.shopify.com/s/files/1/0431/0643/5232/files/zuruvixanigavisukimoxapex.pdf
    • https://cdn.shopify.com/s/files/1/0428/2220/5607/files/collaboration_diagram_for_library_management_system.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000169bf.bin
dafa69fdff43e24bb6b7a65ee90635adda1e4fb7a793c9e2ce1f23b0ea6da920		 pdf-font-stream PDF embedded font (sfnt) at offset 0x169BF 5472 bytes
font_01_sfnt_off00017c5e.bin
5c8da334e0e4c3f8e2485a39c2e40575853542e60d8341fc006e017c665b7418		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C5E 13192 bytes
font_02_sfnt_off0001a5dd.bin
5b8d434429951bc4f37ed679247922fb20d6663d68e073af52f4bc706f5d61be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A5DD 16156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.