Malicious PDF — malware analysis report

Static analysis result for SHA-256 604867315d518058…

MALICIOUS

PDF

54.7 KB Created: 2020-09-05 21:22:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41ed7bdcfc49a3d432489058d76ba9f7 SHA-1: 73f710da870c41a44847e94304fd6249f229bebb SHA-256: 604867315d5180581f01eaedeffca8571db8688dde08ccad94ad155cf2768fba
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.club', which is also present in the document body. This URL is likely used to redirect users to a malicious site or download further content. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to Shopify domains, suggesting an attempt to manipulate search engine results or distribute content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=iphone+notification+sound++free
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/3733/5464/files/nozov.pdf
    • https://cdn.shopify.com/s/files/1/0461/5186/0387/files/41764621755.pdf
    • https://cdn.shopify.com/s/files/1/0434/1828/8284/files/sujebave.pdf
    • https://cdn.shopify.com/s/files/1/0432/0621/3789/files/coraline_book_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/1386/4602/files/65182302346.pdf
    • https://cdn.shopify.com/s/files/1/0438/0907/9458/files/kogixopinul.pdf
    • https://cdn.shopify.com/s/files/1/0437/3495/8229/files/ophthalmic_dispensing_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/4419/2935/files/piraxuba.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sovonuvebapade.pdf
    • https://cdn.shopify.com/s/files/1/0434/6413/0725/files/27722383827.pdf
    • https://cdn.shopify.com/s/files/1/0433/6022/3397/files/molecular_dynamics_simulation_tutorial.pdf
    • https://static.usrfiles.com/ugd/accd1f_e07c2ad3838144d2b20f1346399af44f.pdf
    • https://static.usrfiles.com/ugd/ef253e_b85d0dc6887a4b63bf8d94969347f432.pdf
    • https://static.usrfiles.com/ugd/b77b08_d1132b49516446c9a4ad0b1037a085a5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008363.bin
c4de01e64d744baf891f3ea1ef20e633516384a54ab9a11c9b483863760e244b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8363 5148 bytes
font_01_sfnt_off000094e2.bin
c604e955c3c9fffc8ab503c6481b2efaea5ed09e426c6f5273051268e8ee86e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94E2 10260 bytes
font_02_sfnt_off0000b802.bin
de4d8b2f57bd79f1a868fabda613d9936b110e31710edd4728466090b424b6ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB802 16340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.