Malicious PDF — malware analysis report

Static analysis result for SHA-256 598e8d957904d395…

MALICIOUS

PDF

41.2 KB Created: 2020-08-09 23:21:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ec2e4f3f727f8c6f5a7e12b59d7d0d57 SHA-1: c1c2de5f5fdf11f581e9a30555daf23da6c18295 SHA-256: 598e8d957904d3950c4bd1379ac530a315d271e37bb074a2abd6a89935067943
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged as malicious by an ML classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. It also exhibits a PDF link farm, with numerous links pointing to external PDF files hosted on various domains, including shopify.com and other less reputable file-hosting sites. The primary malicious URL identified is https://ttraff.cc/pify?keyword=annotate+pdf+ipad+adobe, which is likely used to obscure the final destination of the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=annotate+pdf+ipad+adobe
    • http://files.inspiredbygeology.com/uploads/1/3/1/4/131437246/dobegudozeretukojano.pdf
    • http://files.somebodyelsesjournal.com/uploads/1/3/0/9/130969371/siwefubitore.pdf
    • http://files.universalsole.com/uploads/1/3/1/4/131453177/8393634.pdf
    • http://files.canberralss.com/uploads/1/3/1/0/131070035/8060398.pdf
    • http://files.jennbower.com/uploads/1/3/1/3/131398279/jipolamoxosiveg-velomeno-gosibuxovewujel-vagovurun.pdf
    • https://cdn.shopify.com/s/files/1/0433/8096/5534/files/bronchial_asthma_journal.pdf
    • https://cdn.shopify.com/s/files/1/0429/9925/1093/files/sims_3_cars.pdf
    • https://cdn.shopify.com/s/files/1/0431/4916/4698/files/dutubipovowajuf.pdf
    • https://cdn.shopify.com/s/files/1/0434/3860/4450/files/panisilututaw.pdf
    • https://cdn.shopify.com/s/files/1/0428/1355/4855/files/safajopekozuzawosib.pdf
    • https://cdn.shopify.com/s/files/1/0431/9005/9157/files/93877516587.pdf
    • https://cdn.shopify.com/s/files/1/0434/8890/3325/files/xoximalebuzeza.pdf
    • https://cdn.shopify.com/s/files/1/0432/1322/6143/files/21327129075.pdf
    • https://cdn.shopify.com/s/files/1/0430/2045/1997/files/cessna_421c_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/8148/2919/files/jilobedamegis.pdf
    • https://cdn.shopify.com/s/files/1/0430/0426/4602/files/lugowobitowu.pdf
    • https://cdn.shopify.com/s/files/1/0434/0265/7957/files/10788163106.pdf
    • https://cdn.shopify.com/s/files/1/0429/8565/2375/files/kusigazokudap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063de.bin
b5e9aa279dd9294a42963ccca72e7227df74121dc17becfdfd5780fc93d225a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63DE 4856 bytes
font_01_sfnt_off0000747a.bin
d698aaf66a17c126cda02a7e1f3eca70f381d67278460cb6f8e628ce5ad5719d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x747A 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.