Malicious PDF — malware analysis report

Static analysis result for SHA-256 756f6851b0522f1d…

MALICIOUS

PDF

59.2 KB Created: 2020-08-31 00:40:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2d3d1ef4e3b1d3aba21c7d91cbe2d437 SHA-1: cc19309cf35515b2d4c1c0009e2d6daeacaa35ee SHA-256: 756f6851b0522f1d2a65a5aa3091e3b5d90666aff3887f77867beb7ac1d1afe0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of embedded links, many of which point to a link farm infrastructure designed to redirect users to malicious sites. The primary malicious URL identified is ttraff.ru, which is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL and other Shopify links, suggesting a tactic to disguise malicious redirects as legitimate content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=harry+potter+e+camara+secreta+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/8368/5274/files/append_array_to_formdata_javascript.pdf
    • https://cdn.shopify.com/s/files/1/0432/0047/9391/files/bing_document_translator.pdf
    • https://cdn.shopify.com/s/files/1/0432/0080/7070/files/kikurosufovumefug.pdf
    • https://cdn.shopify.com/s/files/1/0430/5531/7149/files/fugudapekiwifefage.pdf
    • https://cdn.shopify.com/s/files/1/0434/5734/7741/files/gunitewafabeg.pdf
    • https://cdn.shopify.com/s/files/1/0429/4646/1852/files/47443336521.pdf
    • https://cdn.shopify.com/s/files/1/0443/0387/6252/files/google_play_store_app_android_2._2.pdf
    • https://cdn.shopify.com/s/files/1/0430/6072/3865/files/20347302553.pdf
    • https://cdn.shopify.com/s/files/1/0430/0944/1953/files/bopuvaxumega.pdf
    • https://cdn.shopify.com/s/files/1/0431/1236/6231/files/retorika_masining_na_pagpapahayag.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b38c6e2aa7846ceaa1715db355501a9.pdf
    • https://static.usrfiles.com/ugd/15cd4d_5e0fe4eaa1514ab48729fbf9f0a7ded7.pdf
    • https://static.usrfiles.com/ugd/d17951_a603a96d013443b0bffbcbf4255085a6.pdf
    • https://cdn.shopify.com/s/files/1/0431/1479/1068/files/dolamusumatezanizulu.pdf
    • https://cdn.shopify.com/s/files/1/0462/9194/3584/files/budel.pdf
    • https://cdn.shopify.com/s/files/1/0432/3419/7666/files/english_speaking_course_urdu.pdf
    • https://cdn.shopify.com/s/files/1/0447/2619/0234/files/xivofagunuvitap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009d70.bin
a399fe96af801c2052f662cdbde4f42b4a683414ee7bc8e1620d29cb9b520efd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D70 3012 bytes
font_01_sfnt_off0000a837.bin
f916c19fed1c348cb72e3133b485b1b395b90b0db2ac3dc8d064224692fa5d47		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA837 5332 bytes
font_02_sfnt_off0000ba4a.bin
56c4ff3efb1fa3e3028f7a13037934d4dd7a494dbc0a4e4e4823870d425f6477		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA4A 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.