Malicious PDF — malware analysis report

Static analysis result for SHA-256 481ea69c79435f6a…

MALICIOUS

PDF

66.2 KB Created: 2020-09-17 08:38:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0bc9aa70d3eaf192b7de1602d6ba8280 SHA-1: 4f0b09e3533c88c7539f0b021ce7d8ce18b98531 SHA-256: 481ea69c79435f6a2d5a8da5d410e0d3b59faced7612e350513c42098306e561
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, many pointing to Shopify domains, designed to appear as legitimate search results. One prominent link, https://ttraff.club/wix?keyword=hour+of+code+answers+frozen, leads to a known malicious redirector. This suggests a SEO poisoning or link farm attack pattern aimed at driving traffic to malicious sites. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=hour+of+code+answers+frozen
    • https://cdn.shopify.com/s/files/1/0429/7955/7539/files/55395333164.pdf
    • https://cdn.shopify.com/s/files/1/0428/2508/9191/files/67450331231.pdf
    • https://cdn.shopify.com/s/files/1/0431/7754/1791/files/fegiw.pdf
    • https://cdn.shopify.com/s/files/1/0438/7084/7131/files/3205782816.pdf
    • https://cdn.shopify.com/s/files/1/0482/3138/3194/files/panejixodumidojezepixudak.pdf
    • https://cdn.shopify.com/s/files/1/0427/8249/0791/files/71069254223.pdf
    • https://cdn.shopify.com/s/files/1/0428/8443/2031/files/xisoweraxogubipemom.pdf
    • https://cdn.shopify.com/s/files/1/0430/4296/3613/files/34844429616.pdf
    • https://cdn.shopify.com/s/files/1/0436/2865/8848/files/26974313563.pdf
    • https://cdn.shopify.com/s/files/1/0434/7671/3637/files/87630007270.pdf
    • https://cdn.shopify.com/s/files/1/0440/5451/1766/files/membrane_transport_concept_map_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0435/1868/9434/files/free_cursive_writing_paragraph_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0435/9133/6099/files/yakutat_fishing_report_bob_s_blog.pdf
    • https://cdn.shopify.com/s/files/1/0430/9296/7581/files/l_a_w_ka_full_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0000ca76.bin
559600df127f3466fda705470b275205d6486145df1c8c5063ea5fd330a1b9ac		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCA76 19256 bytes
font_00_sfnt_off00004d34.bin
20139b6034425d2427b9ec22f008753fe4914117cd081d160cb547622bd91889		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D34 5600 bytes
font_01_sfnt_off000060b1.bin
3f86e2457967a3533a40c8787b42dc8d9b1e991d5e0e3d10ce09247809cdde90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60B1 5088 bytes
font_02_sfnt_off00007225.bin
c206ac4eca120f096112d408dff6b33a2f721090936d80486df636e1cd240fde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7225 2656 bytes
font_03_sfnt_off00007d25.bin
a8d067a8b462a4670725224bd81150f9be7617db17a5be1a62edc83f61c6051e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D25 5032 bytes
font_04_sfnt_off00008c5a.bin
cca5298ad2e89ab0d41cc63a8205340d9321530172a8d5dda1c28d17fa56adaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C5A 3840 bytes
font_05_sfnt_off00009a67.bin
e66bd646ff29f48b94a898642357a1d5295b77faffa0bd70eb77acb4aebc9a97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A67 2108 bytes
font_06_sfnt_off0000a43e.bin
fe50fd0c3079b32445dba77d1b17a70beb3e8beef7ac0199c6a063511499f9ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA43E 11316 bytes
font_08_sfnt_off0000eb0b.bin
f87f4b7a3547502fada213c66821d92cb3494284b2ee8b83e225d031eafe8233		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB0B 3612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.