Malicious PDF — malware analysis report

Static analysis result for SHA-256 690ccaf627e7f857…

MALICIOUS

PDF

115.4 KB Created: 2020-08-30 11:42:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c8db3e92dc05b0b790c4def3fb7e4d42 SHA-1: 01c0eea0c293acb650a52214b2be1395409f7781 SHA-256: 690ccaf627e7f857fb6b2719c6947efe1781f2645dfa59420d72fa24e6169e6b
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, ttraff.ru, which is disguised as a download for cracked software. The PDF also contains a large number of links to other PDFs hosted on Shopify, likely for SEO manipulation or to appear more legitimate. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=aspen+hysys+v10+crack
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/8139/1514/files/20776519454.pdf
    • https://cdn.shopify.com/s/files/1/0441/1500/1496/files/ladixedoxekevo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zipepatijexozuzazes.pdf
    • https://cdn.shopify.com/s/files/1/0431/6214/0840/files/charbonneau_commission_report_english.pdf
    • https://cdn.shopify.com/s/files/1/0433/7670/5690/files/52668105682.pdf
    • https://static.usrfiles.com/ugd/b77b08_6242bed6106e4b7194fe24658bb22ba9.pdf
    • https://static.usrfiles.com/ugd/73f3b0_1923fa34cc3b4b5ab0625623235188a4.pdf
    • https://static.usrfiles.com/ugd/41a0b6_6c48d4817eeb414596b160d5bda18768.pdf
    • https://static.usrfiles.com/ugd/b8c837_41ce40455aa4495d8fbe82d0d08190ec.pdf
    • https://static.usrfiles.com/ugd/10e3af_c0f8582818064531b19f752783844a67.pdf
    • https://cdn.shopify.com/s/files/1/0438/2402/1664/files/libro_de_ingles_achievers_b1.pdf
    • https://cdn.shopify.com/s/files/1/0461/7161/9491/files/leper_darkest_dungeon_guide.pdf
    • https://cdn.shopify.com/s/files/1/0432/5117/1478/files/tafsiira_qur_aana_afaan_oromo.pdf
    • https://static.usrfiles.com/ugd/824332_cb6e0cd273324e5d802ecac634a0ef74.pdf
    • https://static.usrfiles.com/ugd/238140_99fad95c021d4aceb9ae6b3e74f3554b.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f08fad810a54e01839bdafd1b2ee5ad.pdf
    • https://static.usrfiles.com/ugd/0047a4_fb44d380ba0b44f59f52beda12a4daa2.pdf
    • https://static.usrfiles.com/ugd/b8c837_2444a0616d6e463d80269e16338c0d03.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00019706.bin
99abbd10095c5da36f2637e54fecb68232a5792107eed051f60c72a8d2380893		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19706 23704 bytes
font_00_sfnt_off0000e302.bin
67afeaacbde69e6035721df1ffe860173dad312618231fcf86a842c0f19c37f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE302 34640 bytes
font_01_sfnt_off00014e83.bin
3b1daa684fa5bf13ae3d46c30d029eb1fa52dd1853ead6141235ab94b42b154b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14E83 5396 bytes
font_02_sfnt_off000160e2.bin
3dda358ddcc48730ab0cc7178b41f9c915527755a5fac2a8a976cd49630d3d88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160E2 20444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.