Malicious PDF — malware analysis report

Static analysis result for SHA-256 69b43714d6869fe4…

MALICIOUS

PDF

47.8 KB Created: 2020-08-19 06:33:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe931c6e8c27bc940aa462ef99418a6e SHA-1: 1e6718c8736920e1d7fb0bc5bfb856b29e50e1df SHA-256: 69b43714d6869fe4b276a7156487be3b0ebccb50dca21831871166f0ab3b9e85
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, which is indicative of a link farm. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which likely serves as the initial lure. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is designed to lead users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=android+carousel+github
    • http://bewisana.comobnp.org/uploads/1/3/1/4/131406717/6674963.pdf
    • http://files.uintapreparations.com/uploads/1/3/1/3/131398401/nosawagurubitow.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0438/4443/6128/files/71261903151.pdf
    • https://cdn.shopify.com/s/files/1/0433/0940/0214/files/kepovamekig.pdf
    • https://cdn.shopify.com/s/files/1/0436/2600/4642/files/jinalatelezitas.pdf
    • https://cdn.shopify.com/s/files/1/0437/6743/1320/files/catalogo_bticino_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/6194/3199/files/mafonivusigazisukizi.pdf
    • https://cdn.shopify.com/s/files/1/0431/3609/0267/files/69212429865.pdf
    • https://cdn.shopify.com/s/files/1/0429/5314/6517/files/93540016122.pdf
    • https://cdn.shopify.com/s/files/1/0434/4568/2328/files/29421486259.pdf
    • https://cdn.shopify.com/s/files/1/0433/6821/8780/files/comment_crer_un_algorithme_informatique.pdf
    • https://cdn.shopify.com/s/files/1/0438/8087/4139/files/quotations_from_chairman_mao_tse_tung_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/8379/1517/files/vomog.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a7e.bin
bf82c8612cd982e11275710756df22bd3061ae167d2f40e685f83ae8ccc1dba4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A7E 5328 bytes
font_01_sfnt_off00006c7f.bin
cf50d13c5c21d2e34fba0d9dd21119d4839fc35fdaebfe62cbacf51850cc328d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C7F 1936 bytes
font_02_sfnt_off000075be.bin
05234b99b0e1643ce6903e36d8f1bf2aca81b66ebe8f3e3455f068c54f38b5f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75BE 10748 bytes
font_03_sfnt_off00009ab9.bin
33ae69ab1f3e42b0cf23def7ebdb3f0625f665c787d9f15d0134b411a3b193e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AB9 16748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.