Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c64d0170df56d92…

MALICIOUS

PDF

66.8 KB Created: 2020-08-08 16:16:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e70e7492ec76126ae624c66c1aee8f46 SHA-1: 796a3b9173b997ee2d536b04f1b49a1f0f844375 SHA-256: 7c64d0170df56d925d0061bd95241c3c386b2f876bf7c199f6f83a0b405aff20
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high density of external links, many pointing to domains that appear to be part of a link farm designed to host SEO-optimized PDF files. One critical heuristic identified a link to a known malicious redirector, 'ttraff.cc', which is likely used to obscure the final malicious destination. The document body, though heavily obfuscated, contains text related to train timetables and includes the malicious URL, suggesting a lure to trick users into clicking the link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=vadodara+to+surat+train+time+table+pdf
    • http://files.pierrevanschalkwyk.art/uploads/1/3/1/0/131070737/2420c671897.pdf
    • http://files.aedpresearch.com/uploads/1/3/1/4/131438538/28b8d.pdf
    • http://files.europeanbonsaipottercollective.com/uploads/1/3/2/6/132681507/gezijoradogeb.pdf
    • http://pojesoj.aphotobydre.com/uploads/1/3/1/0/131070109/6503869.pdf
    • http://files.santamonicaquiltguild.org/uploads/1/3/1/4/131407423/nomixebutiwemen.pdf
    • https://cdn.shopify.com/s/files/1/0434/4384/7328/files/a_streetcar_named_desire_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/6880/1695/files/sijalegamoxut.pdf
    • https://cdn.shopify.com/s/files/1/0428/5687/4151/files/603078941.pdf
    • https://cdn.shopify.com/s/files/1/0436/4586/2041/files/inter_botany_textbook.pdf
    • https://cdn.shopify.com/s/files/1/0435/1878/7736/files/anorganick_chemie_nekov_jursk.pdf
    • https://cdn.shopify.com/s/files/1/0430/4768/2201/files/tijokukirirutebe.pdf
    • https://cdn.shopify.com/s/files/1/0431/0269/9681/files/99906366856.pdf
    • https://cdn.shopify.com/s/files/1/0431/8684/7904/files/demeronuwilazula.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/29878061118.pdf
    • https://cdn.shopify.com/s/files/1/0436/0824/4381/files/bukuzotepovaxunu.pdf
    • https://cdn.shopify.com/s/files/1/0435/1492/1114/files/medical_nutrition_therapy_a_case_study_approach_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/0423/9783/files/github_upload_file.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007fd3.bin
0f1bfb1875e12c68659618bf77ab8883429421715f2ed96479d59df2c8902680		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FD3 5292 bytes
font_01_sfnt_off000091b5.bin
d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91B5 3720 bytes
font_02_sfnt_off00009d18.bin
c0c1b96da704aacb44dd15b0884ba478859db62a0d3a161f9d0b20a6b17bc2a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D18 16216 bytes
font_03_sfnt_off0000cf13.bin
c73952203654299b0a7159c3327eae7220080b0238c3fcf828e57e0d984a3fd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF13 16208 bytes
font_04_sfnt_off0000e48b.bin
29d60bf410371b7833d9fc8da417719410aa8fbf25f50d5fc9355a4236c306c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE48B 7136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.