Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c7a7e4b2b29d0a5…

MALICIOUS

PDF

38.5 KB Created: 2020-08-11 03:57:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 316cae7a8ba6886e6fd8e777efdf63f7 SHA-1: db1593c9afb9508180def353d6bdc2d0afcdf8e4 SHA-256: 8c7a7e4b2b29d0a5871a9c5d7fafa7ca2577b4ba3bda4e3cb53ee08e1441112d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy, likely to improve SEO for malicious content or to obscure the true destination. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=air+pollution+mn+rao+book+pdf
    • http://xaxipe.presbychurchcoldspring.org/uploads/1/3/0/8/130814328/8845513.pdf
    • http://files.thepetpantry.ca/uploads/1/3/0/7/130775659/gisewosivenim.pdf
    • http://menurarim.agroschurch.com/uploads/1/3/2/6/132682883/naroje-sunewo-zamaxurad-perekagumifo.pdf
    • http://files.alamovalleyconstruction.com/uploads/1/3/1/4/131408027/4630725.pdf
    • https://cdn.shopify.com/s/files/1/0438/4587/7922/files/wujumenewil.pdf
    • https://cdn.shopify.com/s/files/1/0440/6863/4789/files/authorizations_in_sap_software_design_and_configuration.pdf
    • https://cdn.shopify.com/s/files/1/0431/6269/7894/files/11683737130.pdf
    • https://cdn.shopify.com/s/files/1/0435/4696/8215/files/tulaligitukax.pdf
    • https://cdn.shopify.com/s/files/1/0434/2952/7709/files/bagowisokebes.pdf
    • https://cdn.shopify.com/s/files/1/0435/4605/0714/files/using_statistical_methods_in_social_science_research.pdf
    • https://cdn.shopify.com/s/files/1/0432/2911/8627/files/22469503324.pdf
    • https://cdn.shopify.com/s/files/1/0429/6802/3194/files/99488856044.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zexula.pdf
    • https://cdn.shopify.com/s/files/1/0432/1918/9915/files/sap_bods_4._2_technical_manual.pdf
    • https://cdn.shopify.com/s/files/1/0436/4346/9974/files/66086398279.pdf
    • https://cdn.shopify.com/s/files/1/0431/0204/4316/files/acidosis_in_cattle.pdf
    • https://cdn.shopify.com/s/files/1/0433/3525/4170/files/82760372081.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0433/3525/4170/files/82760372081

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000058b0.bin
03956d392942ffd9b2f78a99e4cdb2072ca313c038c25c7bbed371914550c92d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58B0 5200 bytes
font_01_sfnt_off00006a40.bin
94714a358b5167dfe45c79199513e26a71f093f72236e2beaa430d09f690e2e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A40 10232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.