Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b6fb057d57f39b1…

MALICIOUS

PDF

44.8 KB Created: 2020-07-10 17:01:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f6b5884e25ce6ddb7cde7cddcaee51e7 SHA-1: 5c314475f8226e2e750de87876c3d87ffa2de054 SHA-256: 7b6fb057d57f39b1669611120f355ccb70f20994e35e1ed6ff91a197e20a2b94
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing:Spearphishing Attachment T1566.002 Phishing:Spearphishing Link

The PDF contains a significant number of embedded URLs, with the primary redirector identified as 'ttraff.cc'. This indicates a likely phishing or malware distribution attempt. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous links to external PDF files further supports the 'link farm' heuristic, suggesting an attempt to manipulate search engine results or distribute content through a wide network of sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=media%20cuadratica%20estadistica%20pdf
    • http://files.topmattfnq.com/uploads/1/3/1/1/131163910/wolozekugobu.pdf
    • http://files.clients.summitplanting.com/uploads/1/3/0/7/130776219/638329.pdf
    • http://files.theeternalsea.com/uploads/1/3/0/8/130814652/5227782.pdf
    • http://files.georgiahormones.com/uploads/1/3/1/6/131637168/1b4dd83a934d427.pdf
    • http://files.funthoughtsonlife.com/uploads/1/3/1/4/131483361/wazapoziwezowi.pdf
    • http://files.ariannasportfolio.com/uploads/1/3/1/4/131454098/kopukasusesevenu.pdf
    • http://files.camdentonpawn.com/uploads/1/3/1/4/131410094/retaxenetu_pikefidil_rolube_fozojitiki.pdf
    • http://files.freedom2flyda.com/uploads/1/3/1/3/131397934/37451a966a5f59.pdf
    • http://files.gracenathanielsounds.com/uploads/1/3/1/4/131453934/romolir.pdf
    • http://files.goconfigure.co.uk/uploads/1/3/1/4/131438835/918769.pdf
    • http://files.lydiaoxley.com/uploads/1/3/0/7/130739678/5198912.pdf
    • https://surefab.files.wordpress.com/2020/07/vofazube.pdf
    • https://bigoxufogir.files.wordpress.com/2020/07/97294047939.pdf
    • https://lasewodaba.files.wordpress.com/2020/06/sonosubepirulameb.pdf
    • https://dojivoxavinu.files.wordpress.com/2020/06/miwezarawixapip.pdf
    • https://cdn.shopify.com/s/files/1/0428/2492/5347/files/88000143832.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/80278007767.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/58585016777.pdf
    • https://cdn.shopify.com/s/files/1/0431/5276/9192/files/24383854658.pdf
    • https://cdn.shopify.com/s/files/1/0427/5427/7532/files/kanizovapabozizoramig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005aea.bin
a76c9d728034222feecccb9186fe6f23377f26a0aef33426e3ca478548c0dcc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AEA 4788 bytes
font_01_sfnt_off00006b44.bin
2ab1ed04dd33d0804bd22030cea01f2696775988a355f37904db3723ecef165c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B44 11480 bytes
font_02_sfnt_off000090f2.bin
d657604601c07a6cf666dc8a00d19994aa5efb5edd91eeca27759d64a9703145		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90F2 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.