Malicious PDF — malware analysis report

Static analysis result for SHA-256 61d7ae4321f97627…

MALICIOUS

PDF

277.3 KB Created: 2020-08-26 10:22:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9bfb68d0c8073e46a06db28a0082b00a SHA-1: 1a1171469b4909ba521e56c3a7a51e63978e20ab SHA-256: 61d7ae4321f976270e3e36f22b9d87928333aa50c03d2cc59efbf3c0b4f0784e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The ML classifier also flagged this PDF as malicious. The presence of this URL indicates the document is likely part of a phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cape+biology+syllabus+2018+pdf
    • http://gaxuraxeg.my-mobile-massage-therapy.com/uploads/1/3/1/0/131070189/tagejifexuduzomufe.pdf
    • http://files.nessflett.com/uploads/1/3/2/7/132741476/pajiz.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.thdl.org/http://www.thdl.org/Tibetan
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0438/1055/4016/files/overloading_assignment_operator_c.pdf
    • https://cdn.shopify.com/s/files/1/0432/7155/3188/files/misawovapeborebemo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6823/5682/files/nenamizit.pdf
    • https://cdn.shopify.com/s/files/1/0433/7165/9414/files/19815590122.pdf
    • https://cdn.shopify.com/s/files/1/0434/1900/9189/files/453952873.pdf
    • https://cdn.shopify.com/s/files/1/0438/8575/6568/files/rewuxulawibovifibarotiwa.pdf
    • https://cdn.shopify.com/s/files/1/0434/4715/6903/files/atomos_shogun_user_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/7747/6260/files/ridetipikozekakaxos.pdf
    • https://cdn.shopify.com/s/files/1/0427/9474/6023/files/lejujiwajopiwuzidafa.pdf
    • https://cdn.shopify.com/s/files/1/0433/1274/2550/files/jailbreaking_ios_7._1._2_iphone_4.pdf
    • https://cdn.shopify.com/s/files/1/0433/6268/0984/files/45295443254.pdf
    • https://cdn.shopify.com/s/files/1/0433/0638/5558/files/jowifatufolikatasox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.htmlTibetan

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003d647.bin
93d5bb2720de0088363acb3e2129b5e4d541aff8fdb5f455a78cec64962762f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D647 1656 bytes
font_01_sfnt_off0003de87.bin
0026489443ecef251187130fe4c964a883a8d9d75f19d0dbcf78dd5f6d66a32b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DE87 5596 bytes
font_02_sfnt_off0003f19c.bin
5235a9ef7d9eb2c031223c23f24cd9ad2a50561f9bb7bf729a46b44e4331137c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3F19C 9204 bytes
font_03_sfnt_off00040404.bin
8a5055b17a8dd7f6cca0fcecb73fc63e211d9e76ec004e7fe913695c5edbb033		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40404 17412 bytes
font_04_sfnt_off00043899.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43899 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.