Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e7ff616cd7ee1b4…

MALICIOUS

PDF

60.9 KB Created: 2020-08-29 17:27:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dae37fab3ce6e681ac4120b7b3c7c0ab SHA-1: 02d8e8584f389831de08d7546174ca22d7ffa47c SHA-256: 4e7ff616cd7ee1b4cdd2da7333c91d88dca98ce82f4ebd8b0c19a1e1cf2fd024
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including one pointing to a known malicious redirector at 'ttraff.com'. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'second language acquisition'. The presence of a link farm and a malicious redirector suggests an attempt to drive traffic to malicious infrastructure, likely for further exploitation or phishing. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=second+language+acquisition+by+steph
    • https://cdn.shopify.com/s/files/1/0433/4583/8239/files/rajinafilosorokigasovu.pdf
    • https://cdn.shopify.com/s/files/1/0433/8712/5910/files/crossword_quiz_answers_level_8_music.pdf
    • https://cdn.shopify.com/s/files/1/0432/6237/8152/files/sulupolepojenuliravanig.pdf
    • https://cdn.shopify.com/s/files/1/0434/7772/9432/files/14792893157.pdf
    • https://cdn.shopify.com/s/files/1/0427/5752/1574/files/zonosiguwibejelefujujares.pdf
    • https://static.usrfiles.com/ugd/b8c837_97c468cfd3ee45e4b0c3034c15c84f8b.pdf
    • https://static.usrfiles.com/ugd/b8c837_f44beb747a9245f6bf874a2b572fcb98.pdf
    • https://static.usrfiles.com/ugd/b8c837_292e57e6f54449f19591ea43a18221a3.pdf
    • https://static.usrfiles.com/ugd/286fb8_0dac29a2f737443686cb248deda87f47.pdf
    • https://static.usrfiles.com/ugd/b8c837_a6fa92e436784cf9956ea7197c1b1fa1.pdf
    • https://cdn.shopify.com/s/files/1/0461/4841/9747/files/flora_and_ulysses_guided_reading_level.pdf
    • https://cdn.shopify.com/s/files/1/0430/3978/5111/files/tabewugasigugosolifewu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xaxigeruver.pdf
    • https://cdn.shopify.com/s/files/1/0433/4354/4488/files/nesilawifitofakev.pdf
    • https://cdn.shopify.com/s/files/1/0437/0831/7850/files/kakerenolemegupix.pdf
    • https://cdn.shopify.com/s/files/1/0431/4287/3249/files/watermark_remover.pdf
    • https://cdn.shopify.com/s/files/1/0459/7311/0951/files/bangla_film_manik.pdf
    • https://cdn.shopify.com/s/files/1/0430/7494/5184/files/8051200253.pdf
    • https://cdn.shopify.com/s/files/1/0436/2783/9641/files/nuwopiliribitoker.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ad5e.bin
47044897ed3a234b30d2c5637dfe76e8940d9d3565e52508307c95150a1dd517		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD5E 5708 bytes
font_01_sfnt_off0000c0ba.bin
e2b748f1bfb03bb5e6d4b1a16e5a8a760a9432e2e3386d8fe5ca4a8fc6cb0a02		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0BA 11048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.