Malicious PDF — malware analysis report

Static analysis result for SHA-256 77e1333fe9fd86d6…

MALICIOUS

PDF

49.1 KB Created: 2020-08-22 02:12:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49a9301fb1d2180463604393c9c773df SHA-1: 8c4e6bcd961deef497c2963b70f491066689592c SHA-256: 77e1333fe9fd86d6dfe2f143043ba785f18a4225c1df4daec0f20b8fb3e302a6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure, specifically 'ttraff.com'. It also exhibits a PDF link farm heuristic, indicating a large number of external links, many pointing to Shopify-hosted PDFs. The embedded URLs suggest an attempt to lure users to malicious content, likely for phishing or to download further malware. No scripts were extracted, but the presence of malicious redirectors and link farms strongly suggests a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=adventures+in+odyssey+club
    • http://files.yorkregiondbc.com/uploads/1/3/0/7/130775897/jekusi.pdf
    • http://files.goquiltandstitch.com/uploads/1/3/0/8/130874119/ninosi-fapapimemowi-zofefevojoj-bumobanexozi.pdf
    • http://files.bairdsandthebeesca.com/uploads/1/3/2/6/132696155/boveluwibak.pdf
    • http://zozuluz.westparkrd.com/uploads/1/3/0/8/130874482/sukivoride_telixalemorola_gutob_pedazofa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0447/8284/6109/files/cae_exam_sample_test.pdf
    • https://cdn.shopify.com/s/files/1/0432/3131/4077/files/dizixi.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6965/files/puvuxojiluvifoja.pdf
    • https://cdn.shopify.com/s/files/1/0429/6992/3743/files/siluxadumeju.pdf
    • https://cdn.shopify.com/s/files/1/0435/6633/4111/files/77267003973.pdf
    • https://cdn.shopify.com/s/files/1/0433/0212/5733/files/john_deere_1025r_manual.pdf
    • https://cdn.shopify.com/s/files/1/0440/8187/3048/files/8368144262.pdf
    • https://cdn.shopify.com/s/files/1/0437/8578/1397/files/kixewarekimimukemu.pdf
    • https://cdn.shopify.com/s/files/1/0435/6092/7393/files/lexirobewesisira.pdf
    • https://cdn.shopify.com/s/files/1/0429/5678/3772/files/bringers_of_the_dawn_and_earth.pdf
    • https://cdn.shopify.com/s/files/1/0434/4433/8838/files/pivur.pdf
    • https://cdn.shopify.com/s/files/1/0430/9496/6436/files/42214535911.pdf
    • https://cdn.shopify.com/s/files/1/0432/5641/4363/files/pasajizebewodunofo.pdf
    • https://cdn.shopify.com/s/files/1/0432/2305/6545/files/promissory_note_template_texas_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006824.bin
adc7f477353169186a8911c2e2bf938c12e328a51fb960e82aba38e03ccc9acc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6824 3440 bytes
font_01_sfnt_off00007491.bin
547e39d79c501bc2f88ad77a224900224a8b8c402880da0cf264b612d5f4e49f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7491 5016 bytes
font_02_sfnt_off000085b4.bin
267dcb03b63b4605b413c68d15b76e4d21cd951a98afc6997de08fc2948535ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85B4 15092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.