Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d96ea9a685c3dd5…

MALICIOUS

PDF

50.3 KB Created: 2020-08-01 10:59:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f83d533da403b6460b2d08ad074b3e78 SHA-1: 005f3355bd438a60605442f958b884d7ff47afb6 SHA-256: 4d96ea9a685c3dd5c982f1b5dd47b2b29a124516c8d72381616a5a1e97f888c4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious by a machine learning classifier and contains numerous embedded links. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is likely used to obscure the true destination of the attack. Another heuristic noted a large PDF link farm, with many links pointing to Shopify domains, suggesting an attempt to leverage legitimate platforms for hosting or distributing malicious content. The presence of these link farms and redirectors indicates a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=json+comment+out
    • http://files.lindjonath.com/uploads/1/3/1/4/131483307/843ebdf882bf.pdf
    • http://files.iamscientiste.com/uploads/1/3/1/4/131452815/026a02.pdf
    • http://files.fabulousfacecreations.com/uploads/1/3/1/4/131482988/4649588.pdf
    • https://cdn.shopify.com/s/files/1/0437/0379/5877/files/80021155106.pdf
    • https://cdn.shopify.com/s/files/1/0432/9222/9787/files/zijodejawudagokutef.pdf
    • https://cdn.shopify.com/s/files/1/0429/9915/2799/files/zijagefewozez.pdf
    • https://cdn.shopify.com/s/files/1/0430/5554/6517/files/gijumuwetimixujefipida.pdf
    • https://cdn.shopify.com/s/files/1/0428/5648/0935/files/82277912572.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/38461358607.pdf
    • https://cdn.shopify.com/s/files/1/0432/0008/6180/files/59804171072.pdf
    • https://cdn.shopify.com/s/files/1/0435/2563/6248/files/bikibef.pdf
    • https://cdn.shopify.com/s/files/1/0428/6421/4182/files/10997555901.pdf
    • https://cdn.shopify.com/s/files/1/0428/5782/4419/files/vapeziwegupawokewewekitop.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/77160317291.pdf
    • https://cdn.shopify.com/s/files/1/0428/3655/7987/files/giravanetalogesukutiro.pdf
    • https://cdn.shopify.com/s/files/1/0431/0908/9434/files/48156936407.pdf
    • https://cdn.shopify.com/s/files/1/0431/1577/4108/files/86788735970.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064bf.bin
792e288023e4fbe73a0351c4e4cf94c19217598e688914c0413f09f13c1160d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64BF 6568 bytes
font_01_sfnt_off0000750c.bin
1552e1e9f7ea651b95aa7a02e4a3440737f0ca16a6b69e933051994d034e3d92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x750C 4596 bytes
font_02_sfnt_off00008498.bin
1308ef1515444f790b5a5b2940aa0c6e5dfaa5cebf2689e4f673cfcd550e0731		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8498 4992 bytes
font_03_sfnt_off000096c3.bin
08a2a7dc85a62f329a0c0570158df5bb9c796abe8a29610b0e11ad16a81e1fb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96C3 10916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.