Malicious PDF — malware analysis report

Static analysis result for SHA-256 5fbafaf0d79fa46a…

MALICIOUS

PDF

48.7 KB Created: 2020-09-02 09:52:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 435576a5ba2422951fe9fcd48fef8ca8 SHA-1: 6264dd5f7a12fce5b945d5ed56e4b8afef3ef055 SHA-256: 5fbafaf0d79fa46a3bda8f892e76fba262d561a8fda4a1d5fbaf34dc79728a0a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a PDF link farm. One of the primary links, 'https://ttraff.me/pify?keyword=amma+amma+song', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to this malicious URL, suggesting an attempt to drive traffic to potentially harmful content. The presence of multiple PDF links, many pointing to Shopify, indicates a possible SEO manipulation or content farm strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=amma+amma+song
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0431/0017/6544/files/1056536275.pdf
    • https://cdn.shopify.com/s/files/1/0430/8631/5682/files/sabimurutonuzibaja.pdf
    • https://cdn.shopify.com/s/files/1/0437/3794/0122/files/76950719184.pdf
    • https://cdn.shopify.com/s/files/1/0437/6199/1841/files/agni_nakshatram_tamil_songs.pdf
    • https://cdn.shopify.com/s/files/1/0428/7073/5014/files/97317448769.pdf
    • https://cdn.shopify.com/s/files/1/0462/3650/0128/files/5590556312.pdf
    • https://cdn.shopify.com/s/files/1/0431/3215/8116/files/gopojexojodonumofusuze.pdf
    • https://cdn.shopify.com/s/files/1/0430/2517/0595/files/lafasediduvutirew.pdf
    • https://cdn.shopify.com/s/files/1/0454/6861/4808/files/spoken_english_easy_learning.pdf
    • https://cdn.shopify.com/s/files/1/0438/9198/2491/files/joxexunijakazibolibejakox.pdf
    • https://cdn.shopify.com/s/files/1/0434/7808/9878/files/34491061543.pdf
    • https://cdn.shopify.com/s/files/1/0434/6108/3301/files/panera_bread_boxed_lunch.pdf
    • https://cdn.shopify.com/s/files/1/0437/1460/9305/files/runetowowafonev.pdf
    • https://cdn.shopify.com/s/files/1/0437/0392/6939/files/libros_de_ingles_basico_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0440/3937/2965/files/urdu_calendar_2019_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0468/8907/4845/files/guided_meditation_for_healing_others.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ed7.bin
b621fbb45572c1053c808d9fb5cf117063790a20a7e4a1addfa7ea53fcb562e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ED7 4868 bytes
font_01_sfnt_off00006f4d.bin
c35a9c9e939cecc278a2213cf6dec8d7d207552966b13726cdabbb36a9ae53ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F4D 9900 bytes
font_02_sfnt_off00008837.bin
c5ddc765bd0cae1662250819d9ec66bdf17cc1829b6da0bbd2b50e3cdd9e7a67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8837 14920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.