Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d4b72b60e63c1b9…

MALICIOUS

PDF

45.2 KB Created: 2020-08-19 01:39:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e9824e692aa0d42a66edff1fc0adde37 SHA-1: 35b2f572766ed1cd86c7790864dec65f175d42e2 SHA-256: 7d4b72b60e63c1b9579bf54bcb63975519a86541a8e9270ad593b421098d152c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'ttraff.com'. This URL is designed to obscure the true destination and likely leads to further malicious content or phishing attempts. The document also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to benign Shopify domains, but one critical link to a redirector. The presence of a malicious redirector suggests an attempt to trick users into visiting harmful sites, potentially for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=carprog+manual+airbag
    • http://pivaf.sheltermusicboston.org/uploads/1/3/0/7/130739655/nipafenetiverigedogi.pdf
    • http://files.concordiachristianacademy.com/uploads/1/3/1/4/131454692/e7800f3ea96.pdf
    • http://ludolor.kwikwashlaundromat.com/uploads/1/3/0/8/130814328/cc2068d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0433/3414/0072/files/76144696624.pdf
    • https://cdn.shopify.com/s/files/1/0437/6097/6021/files/fishing_report_upper_colorado_river.pdf
    • https://cdn.shopify.com/s/files/1/0444/4746/5639/files/bravura_march.pdf
    • https://cdn.shopify.com/s/files/1/0433/8706/0378/files/xudiwo.pdf
    • https://cdn.shopify.com/s/files/1/0431/8111/3506/files/envision_math_grade_2.pdf
    • https://cdn.shopify.com/s/files/1/0433/5930/5880/files/89519589316.pdf
    • https://cdn.shopify.com/s/files/1/0430/5698/8317/files/zopogonupila.pdf
    • https://cdn.shopify.com/s/files/1/0434/0026/5878/files/mathematical_methods_physicists_arfken.pdf
    • https://cdn.shopify.com/s/files/1/0428/9606/4671/files/arduino_projects_for_ham_radio.pdf
    • https://cdn.shopify.com/s/files/1/0440/7102/6853/files/asce_7_05.pdf
    • https://cdn.shopify.com/s/files/1/0434/4958/1724/files/doterra_aroma_lite_diffuser.pdf
    • https://cdn.shopify.com/s/files/1/0432/0316/6369/files/meluvelubofenobosezid.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c7a.bin
b32dc56672caba5da99b9a5661e6a41cf24b802095db0dfbfc6adfe42eb4d79f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C7A 4808 bytes
font_01_sfnt_off00005ca2.bin
b6a9fe866af1de5489b09b055af0bdcd3ec4ca2bb6d0f817152c1c9c9148f0e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CA2 12236 bytes
font_02_sfnt_off00008435.bin
288645b9b601f5e921a8eb443df0aeb1d6335bcfaefe0ae4725cc0adef041b85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8435 16220 bytes
font_03_sfnt_off0000998d.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x998D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.