Malicious PDF — malware analysis report

Static analysis result for SHA-256 503f1039aa9e7a0a…

MALICIOUS

PDF

45.3 KB Created: 2020-08-05 13:42:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c5eace75198a6db3cd051d7fe1bfa9b4 SHA-1: 4cf9e93474445d350fb3de756b37081d2158491b SHA-256: 503f1039aa9e7a0a03944ed0ec93fff866cae62b49999bfdd76bff08dba39838
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged as malicious by a machine learning classifier and contains a large number of embedded links, forming a link farm. One of the primary links directs to a known malicious redirector service, ttraff.cc, which likely serves as a gateway to malicious content or phishing pages. The presence of numerous links, including those hosted on Shopify, suggests an attempt to distribute malicious content widely or to obscure the ultimate destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=file+pdf+b%25E1%25BB%258B+quay+ng%25C6%25B0%25E1%25BB%25A3c
    • http://files.tac-tx.com/uploads/1/3/2/6/132682039/1539121.pdf
    • http://files.easyacrescustomcycle.ca/uploads/1/3/0/7/130740412/d24f040.pdf
    • http://files.activesportssolutions.com/uploads/1/3/1/3/131381681/c2abac0c96c.pdf
    • http://files.empathtoorder.com/uploads/1/3/2/7/132712306/suxikew_rixuwika.pdf
    • http://remibud.armakansas.org/uploads/1/3/0/7/130776611/tefefojubixo_dopugine_rovetuloze_vividimelowumer.pdf
    • https://cdn.shopify.com/s/files/1/0434/6504/8214/files/atrocity_act_1989_in_marathi_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/7913/0524/files/tipaziwupo.pdf
    • https://cdn.shopify.com/s/files/1/0429/1792/0934/files/28507885872.pdf
    • https://cdn.shopify.com/s/files/1/0432/5448/1054/files/15466260870.pdf
    • https://cdn.shopify.com/s/files/1/0429/9869/4049/files/jikibopovopubuxa.pdf
    • https://cdn.shopify.com/s/files/1/0430/4178/3959/files/31749608276.pdf
    • https://cdn.shopify.com/s/files/1/0432/2387/5746/files/pivafinaxenegikuxeviwim.pdf
    • https://cdn.shopify.com/s/files/1/0428/2174/6847/files/34673635905.pdf
    • https://cdn.shopify.com/s/files/1/0430/6622/8898/files/rubadamovosojumugelek.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nexunalazuzifoginiwaboliz.pdf
    • https://cdn.shopify.com/s/files/1/0427/6633/6167/files/67788766922.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a87.bin
42c697f9d80dd75128c1c87a52ee5ae0ad681980f8fd9eab36fe870585c0be6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A87 5724 bytes
font_01_sfnt_off00006de3.bin
56ff38161c43167c398921734fc050ed168ed90e37d03dba776e71cc157d4f5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DE3 10428 bytes
font_02_sfnt_off0000913d.bin
541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501		 pdf-font-stream PDF embedded font (sfnt) at offset 0x913D 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.