Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c84ebcf89b15a89…

MALICIOUS

PDF

36.2 KB Created: 2020-08-06 17:28:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b55c52192bcaedb01816d74840c5a811 SHA-1: fc2e2ef2b1d7a31d31b2dc3c0c96e3d5441f95e8 SHA-256: 5c84ebcf89b15a89bfd4a98d4b5b4e1ec163d8a13cd581414a35e4557686d027
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a heuristic firing indicating it links to known malicious redirector infrastructure, specifically pointing to 'ttraff.cc'. The document body also contains this URL, suggesting an attempt to trick users into visiting it for a supposed free PDF. The presence of numerous other PDF links, many hosted on Shopify, suggests a link farm SEO tactic to improve search engine ranking for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=asana+pranayama+mudra+bandha+espa%25C3%25B1ol+pdf+gratis
    • http://files.blazingblazers.com/uploads/1/3/1/4/131437064/bf8fa5a2a3e8.pdf
    • http://files.paulparishcouncil.org/uploads/1/3/1/3/131380915/vosaga-vagadotoxidow-vesegibibofava-ritivu.pdf
    • http://files.mrstaylor-lc.com/uploads/1/3/1/4/131438044/rusekopitaxezu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/7538/7043/files/66284465807.pdf
    • https://cdn.shopify.com/s/files/1/0430/1085/0979/files/bomewowelivomapoj.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/7730738641.pdf
    • https://cdn.shopify.com/s/files/1/0432/0886/8001/files/mofezet.pdf
    • https://cdn.shopify.com/s/files/1/0432/2181/1362/files/porawibixupadowidaka.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kosetomamevisired.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/demesudixagivok.pdf
    • https://cdn.shopify.com/s/files/1/0433/8106/3838/files/66123851821.pdf
    • https://cdn.shopify.com/s/files/1/0430/6596/6754/files/73413798825.pdf
    • https://cdn.shopify.com/s/files/1/0438/0088/7457/files/zuvivanugulopeba.pdf
    • https://cdn.shopify.com/s/files/1/0431/4310/2613/files/sivolop.pdf
    • https://cdn.shopify.com/s/files/1/0432/9255/7467/files/bunuxu.pdf
    • https://cdn.shopify.com/s/files/1/0436/7086/4025/files/moludemazufigo.pdf
    • https://cdn.shopify.com/s/files/1/0432/3858/8584/files/bcg_matrix.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a30.bin
d70412be5fc89d906d3bd126be892e18bc951f373a043fd57f9f0e1c5cd04494		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A30 5896 bytes
font_01_sfnt_off00005ddf.bin
eec9f1986a5c92057d830410be266a3fa8072cd9cff5ff715d76fdbe46151038		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DDF 10568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.