Malicious PDF — malware analysis report

Static analysis result for SHA-256 404fcf8655406054…

MALICIOUS

PDF

79.7 KB Created: 2020-08-03 08:14:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e36fcc182e34e1e23ac0703f91d9f93a SHA-1: 750ad9c7835f44ece2cdca0deaaa46e2bc891631 SHA-256: 404fcf86554060546767a67b97f59dfae725d46817e7581275f699b044ca05fa
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources. One critical heuristic identifies a link to a known malicious redirector at 'ttraff.com', suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains a reference to the same malicious URL. The presence of multiple Shopify URLs, while some are confirmed benign, indicates an attempt to blend malicious links with seemingly legitimate ones.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=revelation+online+swordmage+guide
    • http://files.clareannmatz.com/uploads/1/3/1/6/131606127/350687.pdf
    • http://files.kitchengadgetvegan.com/uploads/1/3/1/4/131437649/5704248.pdf
    • http://files.avhsdeca.com/uploads/1/3/1/4/131406840/c76ed9ef11.pdf
    • http://files.jcct-tucson.org/uploads/1/3/2/6/132683137/3558101.pdf
    • http://files.marksmadmenband.com/uploads/1/3/0/8/130874352/dogebojodasuwe_javude_zufesawis_wekiz.pdf
    • https://cdn.shopify.com/s/files/1/0440/6552/1814/files/63314027391.pdf
    • https://cdn.shopify.com/s/files/1/0439/2439/0056/files/37849674703.pdf
    • https://cdn.shopify.com/s/files/1/0432/1669/9553/files/26265620953.pdf
    • https://cdn.shopify.com/s/files/1/0429/5183/5801/files/75514623000.pdf
    • https://cdn.shopify.com/s/files/1/0436/9167/1705/files/jokasawimunukiradaf.pdf
    • https://cdn.shopify.com/s/files/1/0431/3903/9388/files/5e_barbarian_totems.pdf
    • https://cdn.shopify.com/s/files/1/0435/6934/8763/files/rewimafijuwijovifowigix.pdf
    • https://cdn.shopify.com/s/files/1/0431/1141/5974/files/33725113234.pdf
    • https://cdn.shopify.com/s/files/1/0430/9942/2881/files/toluvulodiwurabujutekib.pdf
    • https://cdn.shopify.com/s/files/1/0429/3437/0470/files/15217054300.pdf
    • https://cdn.shopify.com/s/files/1/0440/7705/6165/files/vomakutikijowi.pdf
    • https://cdn.shopify.com/s/files/1/0427/4293/9814/files/66861883437.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1f1.bin
3d984b7fb6e2f33da7d956bdfaa2e273d20d6449af5f22c7c1f77de502fd6e34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1F1 5304 bytes
font_01_sfnt_off000103fe.bin
6446fbac5698c6bbcb9a752fc917c495e980aa5bd49cf9795412156dda09721c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103FE 14684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.