Malicious PDF — malware analysis report

Static analysis result for SHA-256 67a3c18a6ecd9427…

MALICIOUS

PDF

61.6 KB Created: 2020-08-17 12:43:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2ce50e77c7c437591e3f29bc94aeba5e SHA-1: 1140aa8509d775fe91d1417845b72e40f97d5457 SHA-256: 67a3c18a6ecd942719091a8806c6c4c5f9d2fad736b992941fa9b738ec0f8b34
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a link farm and a primary redirector URL, indicating an attempt to direct users to malicious content. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically flags the ttraff.com URL as malicious. The presence of numerous external links, many pointing to Shopify, suggests a SEO-based link farm tactic to obscure the malicious destination. No scripts were extracted, and the document body is largely unreadable binary data, but the embedded links are sufficient to infer a malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=accretion+disk+form+solar+system
    • http://files.dartsreviewsuk.com/uploads/1/3/1/4/131437504/xonegatuwusuge-babobekepapelu-nirajub-vofewike.pdf
    • http://robik.arlordpac.ca/uploads/1/3/1/4/131408100/1065d66c6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0427/7764/1116/files/88983700825.pdf
    • https://cdn.shopify.com/s/files/1/0428/8443/2038/files/bibiliya_yera_apk.pdf
    • https://cdn.shopify.com/s/files/1/0427/6181/4172/files/nivazunarezefu.pdf
    • https://cdn.shopify.com/s/files/1/0430/1894/4665/files/86900278721.pdf
    • https://cdn.shopify.com/s/files/1/0427/6686/0455/files/56575542579.pdf
    • https://cdn.shopify.com/s/files/1/0431/3628/6877/files/mufegeput.pdf
    • https://cdn.shopify.com/s/files/1/0429/4931/2665/files/guxewewabej.pdf
    • https://cdn.shopify.com/s/files/1/0439/9081/0782/files/89982734181.pdf
    • https://cdn.shopify.com/s/files/1/0432/0369/0660/files/the_stoner_s_cookbook_recipes.pdf
    • https://cdn.shopify.com/s/files/1/0433/2699/6633/files/15813507232.pdf
    • https://cdn.shopify.com/s/files/1/0434/6888/2072/files/folawelepidok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009dc6.bin
06ce9a56e6c0e0a5bed72c958a05799ebd99043c73fff65eea4ace12dbac2029		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DC6 5324 bytes
font_01_sfnt_off0000afcb.bin
1a37d37d0c5282399c16e32f00b840d8d30e1b37f46937a1a0669ed9dc5795f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAFCB 10504 bytes
font_02_sfnt_off0000d3ec.bin
5550aee2d324c1284251b1b8f4ea932e27d1e8a15bb02d0b879354bc667cc3b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3EC 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.