Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e882833509e5f13…

MALICIOUS

PDF

49.9 KB Created: 2020-08-02 09:54:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 467ee5bfccf3c21c91f9368d490bd292 SHA-1: be040c90c85f7b8ee2db502a50a6e0fa2663bacd SHA-256: 6e882833509e5f13794c55b327719f4c42dae9528047d8b38fbf7425c70d5937
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded links, with a critical heuristic identifying it as a malicious redirector. One of the primary links directs to `ttraff.com`, which is flagged as malicious infrastructure. The document body, though heavily obfuscated, contains the same redirector URL and a reference to setting up a local web server, suggesting a lure to a malicious site. The presence of a large number of PDF links, many pointing to Shopify domains, indicates a potential link farm or SEO manipulation tactic to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=set+up+local+web+server
    • http://files.leatherandlacestudio.com/uploads/1/3/0/8/130813948/jeraziwubi.pdf
    • http://files.nefabla.com/uploads/1/3/2/6/132681877/tivusoxikes.pdf
    • http://files.fisherah.com/uploads/1/3/1/6/131606408/325718e0eb9.pdf
    • http://files.ficebuffalo.org/uploads/1/3/2/6/132682802/2538212.pdf
    • http://files.zenofchemistry.com/uploads/1/3/0/7/130740217/f8533c16b9978e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/9183/6566/files/tufagojametaxeraze.pdf
    • https://cdn.shopify.com/s/files/1/0437/9066/3832/files/6832323634.pdf
    • https://cdn.shopify.com/s/files/1/0435/2249/0528/files/99454444126.pdf
    • https://cdn.shopify.com/s/files/1/0437/4154/4600/files/pobidamewerawebudagi.pdf
    • https://cdn.shopify.com/s/files/1/0430/0190/5315/files/50885763652.pdf
    • https://cdn.shopify.com/s/files/1/0434/5082/6905/files/sarutot.pdf
    • https://cdn.shopify.com/s/files/1/0429/6497/5765/files/22842689451.pdf
    • https://cdn.shopify.com/s/files/1/0433/2398/1979/files/63894470911.pdf
    • https://cdn.shopify.com/s/files/1/0432/6824/3624/files/47456325738.pdf
    • https://cdn.shopify.com/s/files/1/0438/2405/4429/files/74561120196.pdf
    • https://cdn.shopify.com/s/files/1/0430/5249/9098/files/90444342226.pdf
    • https://cdn.shopify.com/s/files/1/0429/6369/7820/files/56035548915.pdf
    • https://cdn.shopify.com/s/files/1/0434/8693/7253/files/16110449024.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e83.bin
11f98b57a19f12d5cfe45d4eb3041cd669f4511da0a1b9004521f101ce3445ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E83 5320 bytes
font_01_sfnt_off000080ba.bin
7818a79f893046d73f6558f583a45a2c37e738abb5c6128bc91cc89c7f499ac7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80BA 10364 bytes
font_02_sfnt_off0000a468.bin
d5c1d73facc1ee30369663d5bc9e1d56b1b6bad2d1eb0652642bc5daa7bdf87b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA468 16352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.