Malicious PDF — malware analysis report

Static analysis result for SHA-256 578e86d9e3029f64…

MALICIOUS

PDF

121.7 KB Created: 2020-08-29 22:21:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a69bd17fa423f3829bacb9d9a6c2e0a SHA-1: 3e8f52df61e1b7e9287ba04f257f7dd865d82564 SHA-256: 578e86d9e3029f64171faffc1778c8a8c2eb0bcc8b00a9dd93f2087cbf7bf745
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF SEO link farm, with numerous links to external PDFs, including one hosted on 'cdn.shopify.com'. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the same malicious URL, suggesting the primary intent is to redirect the user to this malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=par%25C3%25A1metros+b%25C3%25A1sicos+para+identificar+y+estructurar+el+sistema+de+manufactura+pdf
    • https://cdn.shopify.com/s/files/1/0434/0488/6166/files/rockstar_song_dj_remix.pdf
    • https://cdn.shopify.com/s/files/1/0461/9570/3957/files/adding_fractions_game.pdf
    • https://cdn.shopify.com/s/files/1/0432/1568/3743/files/hotel_reservation_confirmation_letter_sample_format.pdf
    • https://cdn.shopify.com/s/files/1/0428/2744/8476/files/yogis_pct_handbook_amazon.pdf
    • https://cdn.shopify.com/s/files/1/0437/6671/0433/files/rivak.pdf
    • https://static.usrfiles.com/ugd/b8c837_f9e1d09f19614707b9afe083cfef4409.pdf
    • https://static.usrfiles.com/ugd/b8c837_abee4bf226834f74b27ad7408eaad281.pdf
    • https://static.usrfiles.com/ugd/565485_9d9279afe5594f0393b81133891e4066.pdf
    • https://static.usrfiles.com/ugd/b8c837_6dc7f39e312144e18ce24ed2f66e7f4e.pdf
    • https://static.usrfiles.com/ugd/b8c837_9cc8506eb33d413a80025dac45783ca4.pdf
    • https://cdn.shopify.com/s/files/1/0436/0686/8131/files/pearson_algebra_1_workbook_answers.pdf
    • https://cdn.shopify.com/s/files/1/0440/2656/0677/files/how_to_fill_soul_gems.pdf
    • https://cdn.shopify.com/s/files/1/0438/1815/6192/files/fidenev.pdf
    • https://cdn.shopify.com/s/files/1/0428/8918/3398/files/bee_sting_allergy_treatment.pdf
    • https://cdn.shopify.com/s/files/1/0432/6388/5472/files/fourth_element_proteus_size_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017c80.bin
641249d6792dee46e8f22d9ebc6431b080dcf9fe971e8edc551fc30ab75d03e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C80 8780 bytes
font_01_sfnt_off000199df.bin
d9f54692d23289ec5f08ea4d8229fe17b232333bf2d32aec276e4a2eb9784055		 pdf-font-stream PDF embedded font (sfnt) at offset 0x199DF 5780 bytes
font_02_sfnt_off0001ace2.bin
2a8d4365900d2045f48c828d81cf77955e0e43cbae7cf819778c07ca10c1b275		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ACE2 13060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.