Malicious PDF — malware analysis report

Static analysis result for SHA-256 57ceec0d99d0b7bb…

MALICIOUS

PDF

45.9 KB Created: 2020-08-10 05:16:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d6adf6888a6397663193bdcdd6dfacac SHA-1: 8c2335cd431f5fee46df26f3b8642ad59572294b SHA-256: 57ceec0d99d0b7bbf2ca4ce2e4c7c546b52fa32a852d09c03ccdf465fa71e0f7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector at 'ttraff.com'. This suggests a link farm or phishing lure designed to redirect users to malicious content. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, so the primary attack vector appears to be the malicious URL embedded within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=flumazenil+davis+drug+guide+pdf
    • http://files.drbouck.com/uploads/1/3/0/7/130740196/7166d1cf63f.pdf
    • http://files.mapdesignassociates.com/uploads/1/3/0/7/130776575/vusidomajaxexato.pdf
    • http://zonivu.heritagekitchenfood.com/uploads/1/3/1/3/131381428/nojuri-begodudulerelob-gawar-nemujekak.pdf
    • http://files.eurokreations.com/uploads/1/3/2/8/132815123/vozezujifani.pdf
    • https://cdn.shopify.com/s/files/1/0434/3745/7575/files/tumekonogaladusejat.pdf
    • https://cdn.shopify.com/s/files/1/0434/4460/0999/files/what_color_is_the_discord_background.pdf
    • https://cdn.shopify.com/s/files/1/0433/5144/1560/files/22811132756.pdf
    • https://cdn.shopify.com/s/files/1/0432/8990/3259/files/80159256542.pdf
    • https://cdn.shopify.com/s/files/1/0431/0846/6845/files/5514512042.pdf
    • https://cdn.shopify.com/s/files/1/0434/6275/4461/files/head_first_sql_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/6262/4417/files/vcf_file_to_converter_online.pdf
    • https://cdn.shopify.com/s/files/1/0430/1586/4473/files/dd-_wrt_router_mode_vs_gateway_mode.pdf
    • https://cdn.shopify.com/s/files/1/0433/8352/1445/files/adobe_illustrator_tutorial_free.pdf
    • https://cdn.shopify.com/s/files/1/0435/7586/9599/files/knight_rider_apps.pdf
    • https://cdn.shopify.com/s/files/1/0432/1542/1600/files/kisivi.pdf
    • https://cdn.shopify.com/s/files/1/0431/7780/3931/files/jalijitisejivov.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006833.bin
0a0875cebb41a2b7b6a7c5cb820cf22b9b9f866e6cf61a20080e2363fa34f98e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6833 5120 bytes
font_01_sfnt_off00007982.bin
78b4312821c7e9b6f8deb09ca2be4c969656c0e151480c8193e3bd513a511b0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7982 10208 bytes
font_02_sfnt_off00009c6e.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C6E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.