Malicious PDF — malware analysis report

Static analysis result for SHA-256 773a329918ea43f6…

MALICIOUS

PDF

57.6 KB Created: 2020-08-10 07:08:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fce7dfd7d14a789e0b6bd8af9e7c53b SHA-1: f72a1c7742eeea2cee73a4aea39fdbd3d6b9017f SHA-256: 773a329918ea43f6343cc0fb55fb3f1b0aa5c696d9a2d7e982bdd99e9f3cc70f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs, many of which are hosted on Shopify and appear to be disguised as academic documents or timetables. One critical heuristic indicates that the PDF links to known malicious redirector infrastructure, specifically 'ttraff.com', which is used to obscure the ultimate destination. The ML classifier strongly flags this PDF as malicious, supporting the conclusion that it is designed to lure users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=b.+sc+1st+year+time+table+2020+pdf
    • http://files.minilivestock.com/uploads/1/3/2/7/132740415/38a223c.pdf
    • http://fejebi.amymaddoxphotography.com/uploads/1/3/1/1/131164250/8350555.pdf
    • http://files.hiddenhispanicheritage.com/uploads/1/3/0/7/130740112/3515123.pdf
    • http://files.riverranchgoldens.com/uploads/1/3/1/6/131607163/kiwefo_povisukuxadez_lixozibi.pdf
    • http://files.brianchovanecknives.com/uploads/1/3/2/6/132681969/jukume.pdf
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0430/8959/2473/files/sociology_of_religion_weber.pdf
    • https://cdn.shopify.com/s/files/1/0447/9251/2678/files/31810756126.pdf
    • https://cdn.shopify.com/s/files/1/0434/0183/8757/files/55033886331.pdf
    • https://cdn.shopify.com/s/files/1/0430/6790/0061/files/calculus_of_variations_maccluer.pdf
    • https://cdn.shopify.com/s/files/1/0428/0333/1231/files/tenojif.pdf
    • https://cdn.shopify.com/s/files/1/0434/9358/9142/files/zinovugapiboja.pdf
    • https://cdn.shopify.com/s/files/1/0432/5064/7204/files/28790124270.pdf
    • https://cdn.shopify.com/s/files/1/0431/0820/4708/files/muxobivobovutezoriwatum.pdf
    • https://cdn.shopify.com/s/files/1/0432/9363/8822/files/15172911583.pdf
    • https://cdn.shopify.com/s/files/1/0432/8806/8254/files/34427248302.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000b978.bin
ca282bac2e525705c3799f79ef9bca629673211ae5508078f03e1c870d20bbcb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB978 9620 bytes
font_00_sfnt_off000077cd.bin
11331e926d963f8636a77fdeffe04d20c53a7f1cb0cc17720601fec1a2e805de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77CD 5948 bytes
font_01_sfnt_off00008c0a.bin
d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C0A 3720 bytes
font_02_sfnt_off0000976c.bin
148ccd6a135146549bb9229188f5a2e4bb5cea5a63fa0f27df3154fdd8c8e555		 pdf-font-stream PDF embedded font (sfnt) at offset 0x976C 9852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.