Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f28a88055a9e9da…

MALICIOUS

PDF

67.9 KB Created: 2020-08-23 01:24:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 211c354aea8493c29b54753edf02abbe SHA-1: 3b1332bbe1e7b60a807c22908c8cb5f13b234fbb SHA-256: 5f28a88055a9e9dae62064e42a754e13af213023c7bd8e68a0b23397315f7c60
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded links, with one specifically identified as a malicious redirector to 'ttraff.com'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The presence of numerous external PDF links, many pointing to Shopify, indicates a potential link farm or content distribution strategy. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious redirector attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=barlow+semi+condensed+font
    • http://kaxavu.rewritingourstories.com/uploads/1/3/2/8/132814930/cd54d7d119.pdf
    • http://wimaxer.oceantreeyogastudio.com/uploads/1/3/1/6/131606629/muvisolenebi-dawavemovati-warododugukiji.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/1512/6692/files/7582476529.pdf
    • https://cdn.shopify.com/s/files/1/0437/1588/7256/files/jiruruzufibuzejaru.pdf
    • https://cdn.shopify.com/s/files/1/0432/9917/6612/files/velilisaravitosegotoxeted.pdf
    • https://cdn.shopify.com/s/files/1/0440/5084/1750/files/xuripisudixomulofazo.pdf
    • https://cdn.shopify.com/s/files/1/0434/5180/9957/files/vogiw.pdf
    • https://cdn.shopify.com/s/files/1/0433/5455/4533/files/tesedojawonivikipora.pdf
    • https://cdn.shopify.com/s/files/1/0431/6640/0673/files/viduvukuzarogotomukub.pdf
    • https://cdn.shopify.com/s/files/1/0447/7186/8821/files/analogical_reasoning_in_islamic_jurisprudence.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000087bd.bin
750d1396ea0bf5fbbfb1efa7800930e25a2e400cebbc542b316d66b1e2c172b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87BD 3120 bytes
font_01_sfnt_off000092f2.bin
ac3eaccffe1a01ad7b991103a89d87a2c9ceb5cc977902605b386a1b628905c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92F2 5308 bytes
font_02_sfnt_off0000a4f5.bin
17544b7159bc33603ef45ddac21c2ec4ad4f478b9246ec0c535762f85792b397		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4F5 24480 bytes
font_03_sfnt_off0000eb29.bin
c02e2f53e07ea5600b61f54464d1c29514763488547fd14cbde3df62446f9e0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB29 16644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.