Malicious PDF — malware analysis report

Static analysis result for SHA-256 76645abacf03105d…

MALICIOUS

PDF

45.4 KB Created: 2020-08-01 05:26:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0345b9e693b9d7dac7b8195db073c58b SHA-1: b76c4a20e22c0817cc4964614ae274e3b9056282 SHA-256: 76645abacf03105d378887a53dba38b44c82b11c645fec7ad29da0bc5fd7fe33
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, with a critical heuristic firing for a malicious redirector link to 'ttraff.com'. The document body, though heavily obfuscated, contains references to 'Optiplex 780 drivers' and includes the malicious URL, suggesting a lure for users seeking drivers. The presence of a large number of external PDF links, many pointing to Shopify, indicates a potential link farm for SEO manipulation or broader distribution. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=optiplex+780+drivers
    • http://files.curiouscreativecritical.com/uploads/1/3/1/0/131070072/8991190.pdf
    • http://files.natashagrover204.com/uploads/1/3/2/7/132740930/4ff261fac261.pdf
    • http://files.ruralactioninternational.com/uploads/1/3/2/7/132740620/vupese_fawabuniremakar_kukexiwafenedos_mamajubuk.pdf
    • http://files.inspiredayurveda.com/uploads/1/3/1/4/131437619/gamugusubunufijez.pdf
    • http://files.one-world-sales.com/uploads/1/3/2/6/132695258/keditojemola.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/9308/2783/files/markdown_resize_image.pdf
    • https://cdn.shopify.com/s/files/1/0431/5768/4385/files/42815844694.pdf
    • https://cdn.shopify.com/s/files/1/0429/9338/5633/files/390165466.pdf
    • https://cdn.shopify.com/s/files/1/0434/9624/3364/files/70005673927.pdf
    • https://cdn.shopify.com/s/files/1/0434/2690/6264/files/xibikunivup.pdf
    • https://cdn.shopify.com/s/files/1/0433/4977/0408/files/numomipedimad.pdf
    • https://cdn.shopify.com/s/files/1/0428/7922/1919/files/1997_chevy_tahoe_repair_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/2816/0417/files/solimadafo.pdf
    • https://cdn.shopify.com/s/files/1/0431/1587/2423/files/78857644115.pdf
    • https://cdn.shopify.com/s/files/1/0434/2556/2785/files/9360571663.pdf
    • https://cdn.shopify.com/s/files/1/0430/8389/0850/files/zeroforovoluxigejofusu.pdf
    • https://cdn.shopify.com/s/files/1/0428/8462/8633/files/xuvugovekufi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xozujegemuzudileruzodedus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065a2.bin
aec35458c62a20adb7574ca4d3f207ce6b59c9f5613f75824dbdaca4efaa7c86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65A2 5316 bytes
font_01_sfnt_off000077d7.bin
4f2e740446246e48fdd0dc534c5fec5030b07f7704dbbac86da39980559dc6e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77D7 15268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.