Malicious PDF — malware analysis report

Static analysis result for SHA-256 66cbd4bd614251ee…

MALICIOUS

PDF

53.3 KB Created: 2020-09-09 12:01:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ba99e7619f0af909ced400641ef8378 SHA-1: 54c2f9f821e2f6e5c101fb10d0f2111b9f4195d8 SHA-256: 66cbd4bd614251ee37938a36dde8a84d2a06c4df0363f48c3f6b7abd8de36d11
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded links, many of which point to a link farm designed to redirect users to malicious infrastructure. The primary malicious URL identified is https://ttraff.me/pify?keyword=baroque+script+ttf+free, which is flagged as a known malicious redirector. While many other URLs point to seemingly benign Shopify-hosted PDFs, the presence of the malicious redirector and the sheer volume of links suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=baroque+script+ttf+free
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0465/0359/2104/files/beautiful_life_movie.pdf
    • https://cdn.shopify.com/s/files/1/0457/7751/8748/files/dividing_negative_integers_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0432/6129/6790/files/zevoma.pdf
    • https://cdn.shopify.com/s/files/1/0428/8544/7833/files/felel.pdf
    • https://static.usrfiles.com/ugd/6846fe_6c3d1486eacf434f82459be952ef3fd5.pdf
    • https://static.usrfiles.com/ugd/bb05c1_74626590489b46d68d28b62a68a040c4.pdf
    • https://static.usrfiles.com/ugd/e9cba9_645fb019d1094699815b929e207965b1.pdf
    • https://cdn.shopify.com/s/files/1/0432/7528/8742/files/solubility_curves_graphing_activity_worksheet_answers.pdf
    • https://cdn.shopify.com/s/files/1/0459/7897/6423/files/neptunia_mk2_trophy_guide.pdf
    • https://cdn.shopify.com/s/files/1/0432/9455/6320/files/99567454785.pdf
    • https://static.usrfiles.com/ugd/a91264_80592708b78d4479883f65ef1d10dec9.pdf
    • https://static.usrfiles.com/ugd/c3548c_eeceb5984d5e47c1bc559fc6bc7ef0ec.pdf
    • https://static.usrfiles.com/ugd/538d67_7d6d8a13201b4c79bc03828ee21d558e.pdf
    • https://static.usrfiles.com/ugd/ea78e0_4ba4d74ac41343fa81c8f05f09738979.pdf
    • https://static.usrfiles.com/ugd/4a6c57_046a442eadd940cbbe78b6aa6f1aad1e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005df0.bin
69f653524d4d747f02acb944dac62a0f4c13604cf93902dc90c479abc67a1459		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DF0 4928 bytes
font_01_sfnt_off00006ed5.bin
839335d50ab9610c37cfb87fe7a46c1926411a6ff946ea85af6efc537a0462f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ED5 17184 bytes
font_02_sfnt_off0000a4b9.bin
012db83adb865250da66a857585776eaa737eef8d5ef8e2c02e5cc55c1be51ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4B9 16504 bytes
font_03_sfnt_off0000b9dd.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9DD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.