Malicious PDF — malware analysis report

Static analysis result for SHA-256 459b9d8901b9d5b4…

MALICIOUS

PDF

40.1 KB Created: 2020-09-06 18:54:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0cce6809acd787d4cf8d601354477a51 SHA-1: 4fdb0e426a4e5b40c969f8ea0323d526f295a70b SHA-256: 459b9d8901b9d5b4463424d020cf489b72c88867237de4ad7d07e50503efb92f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a link farm designed for SEO manipulation. One prominent link redirects to a malicious domain, 'ttraff.me', which is flagged as a redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=fractions+into+decimals+answers', suggesting a lure related to educational content to entice clicks. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=fractions+into+decimals+answers
    • https://static.usrfiles.com/ugd/837d34_355e3911006a400586b93bf17b08a713.pdf
    • https://static.usrfiles.com/ugd/4a6c57_c5bec4856da0451897827a2bbb09c382.pdf
    • https://static.usrfiles.com/ugd/9c0842_bcafcb89887f4fe796e551cca25f9339.pdf
    • https://static.usrfiles.com/ugd/217d68_43f8058b4e874d3f93bdcf6a0072c46c.pdf
    • https://static.usrfiles.com/ugd/ace02d_27793ac6cbfd4eb4bcf1e08ef655eb62.pdf
    • https://cdn.shopify.com/s/files/1/0461/0673/8851/files/mufefuwidatogebaxor.pdf
    • https://cdn.shopify.com/s/files/1/0433/9856/1959/files/98739640933.pdf
    • https://cdn.shopify.com/s/files/1/0430/6301/7629/files/felonan.pdf
    • https://cdn.shopify.com/s/files/1/0427/3415/7991/files/powuzevuj.pdf
    • https://cdn.shopify.com/s/files/1/0429/2195/1391/files/98143814436.pdf
    • https://cdn.shopify.com/s/files/1/0462/2974/9909/files/sudikolawawasotegubelovu.pdf
    • https://cdn.shopify.com/s/files/1/0437/1087/3765/files/gebarufavabivugewona.pdf
    • https://cdn.shopify.com/s/files/1/0427/9851/4343/files/pixufefe.pdf
    • https://cdn.shopify.com/s/files/1/0430/0043/0746/files/pokeriti.pdf
    • https://cdn.shopify.com/s/files/1/0429/9181/2767/files/weekly_cash_flow_report_template.pdf
    • https://static.usrfiles.com/ugd/69a512_322d4e12526a43f5821ad5539c292f06.pdf
    • https://static.usrfiles.com/ugd/40336e_171f2f0980f9496f97df156afc4a39f3.pdf
    • https://static.usrfiles.com/ugd/b8c837_4a8e8b88ce3f42ecaa4fc7149577fd9a.pdf
    • https://static.usrfiles.com/ugd/361045_9e4b673556284be9974092dd756c7f41.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fc1.bin
e89b4c013b20c7acd251a970d919d3c9c507d81202ad066473c9fd9cfef6342d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FC1 5132 bytes
font_01_sfnt_off0000712c.bin
f37c3cf0fb4eb696914a20d515a2ad74916362399506ef135834a9756c647722		 pdf-font-stream PDF embedded font (sfnt) at offset 0x712C 10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.