Malicious PDF — malware analysis report

Static analysis result for SHA-256 4837e3e93e44115b…

MALICIOUS

PDF

41.8 KB Created: 2020-09-02 15:56:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ccaf6b29dccb640ce581b2f88d795a89 SHA-1: f64d4107f17cde609510f8f01578d92be1bba0c8 SHA-256: 4837e3e93e44115b8934f99a3d35a020f054d66ceb55549bb519519231ff99f2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.me, which is disguised as a Jasper reports library resource. This suggests a phishing or malware delivery attempt. The PDF also contains a large number of links to other PDFs hosted on Shopify, likely for SEO manipulation to improve search engine ranking for malicious content. No scripts were extracted, but the primary malicious indicator is the redirector URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=jasper+reports+library+java
    • https://cdn.shopify.com/s/files/1/0448/7803/7159/files/54196946324.pdf
    • https://cdn.shopify.com/s/files/1/0438/3830/8512/files/clastic_sedimentary_rocks_are_formed_by.pdf
    • https://cdn.shopify.com/s/files/1/0432/6300/0736/files/gepadab.pdf
    • https://static.usrfiles.com/ugd/9c66ff_a385b8224e9f42ae92e9d30b7f550f8d.pdf
    • https://static.usrfiles.com/ugd/b8c837_e5d8e7434cde4aca898148b5cf1aa115.pdf
    • https://static.usrfiles.com/ugd/b916f4_eba143238f104498866465378fcab6ef.pdf
    • https://static.usrfiles.com/ugd/bc0d1e_603d924614de4263adc3f50f1f422d62.pdf
    • https://static.usrfiles.com/ugd/2e79a6_e4aa1d454aaf4d78988af062d6a856f7.pdf
    • https://cdn.shopify.com/s/files/1/0432/9432/6939/files/ninja_game_on_ps2.pdf
    • https://cdn.shopify.com/s/files/1/0430/4447/0945/files/70716049495.pdf
    • https://cdn.shopify.com/s/files/1/0429/7264/3491/files/xawixamoriz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064ef.bin
e423c07797481f7b880aa2cf83242af7a34786f15fbcb1641c0cb45b46eee496		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64EF 5180 bytes
font_01_sfnt_off000076ab.bin
032850fadbf44b392f16015aa02a1a2dbadcea1b50f0d58b21faef66594a616e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76AB 10600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.