Malicious PDF — malware analysis report

Static analysis result for SHA-256 486a641b894adfb3…

MALICIOUS

PDF

50.1 KB Created: 2020-08-20 23:00:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3825b26156a7716955b51f3e4b3440f1 SHA-1: 6daaec92cae77d3fa754d26cc754197145ffdcd6 SHA-256: 486a641b894adfb376f02682cbdfa0eb5ebfbaa4ab91255f196c88529d2159ee
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is designed to lead users to malicious content. The document body, though heavily obfuscated, contains the same lure text as the redirector URL. The presence of numerous PDF links, many pointing to benign Shopify domains, suggests a link farm or SEO poisoning tactic to distribute the malicious PDF. The ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=fractured+but+whole+token+character+sheet
    • http://files.inter-clubtennischampionships.com/uploads/1/3/0/9/130969937/nudimorawugesi_fikidari_xivezavo_zavelubomabu.pdf
    • http://files.nourishthesoul.me/uploads/1/3/1/1/131164531/natobokosafukuwo.pdf
    • http://files.stmarysbeauly.org/uploads/1/3/1/6/131607103/medopowakejot.pdf
    • http://pemolon.fullspectrumspeech.org/uploads/1/3/2/6/132695278/630730c3a.pdf
    • https://cdn.shopify.com/s/files/1/0429/2640/7843/files/antagonismo_biologia.pdf
    • https://cdn.shopify.com/s/files/1/0427/8219/5879/files/8615200080.pdf
    • https://cdn.shopify.com/s/files/1/0440/7505/7302/files/cae_gold_exam_maximiser_2020.pdf
    • https://cdn.shopify.com/s/files/1/0431/4788/6743/files/linkin_park_in_pieces_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0430/7435/5351/files/damodaran_valuation_spreadsheet.pdf
    • https://cdn.shopify.com/s/files/1/0428/4507/7660/files/newogabozinus.pdf
    • https://cdn.shopify.com/s/files/1/0432/5192/5155/files/32037076580.pdf
    • https://cdn.shopify.com/s/files/1/0431/5820/8674/files/pitiguw.pdf
    • https://cdn.shopify.com/s/files/1/0434/8923/1000/files/bukhari_sharif_bangla_file_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/7555/9829/files/78525742759.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078c3.bin
38293589215972366d6206cacaf0e2832f4e535ea06794a3f93c95995900cb3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78C3 5112 bytes
font_01_sfnt_off00008a25.bin
684980d0c71eb30e463e9a394f36d42533d8a9271b4c91e1ff61576f9d0e32dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A25 10192 bytes
font_02_sfnt_off0000ad0b.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD0B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.