Malicious PDF — malware analysis report

Static analysis result for SHA-256 90a41dd30a47ce43…

MALICIOUS

PDF

49.6 KB Created: 2020-08-12 13:04:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c55f15f45905948ea09603abb31b68b1 SHA-1: 04e4a00532cf2a53e93e4434a76c59d86d2b4bb2 SHA-256: 90a41dd30a47ce43a755ed12eab2217fb5f2f1b690839e1cf8be5b6a474d52ed
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a high number of links, many pointing to benign Shopify domains, but one critical link redirects to known malicious infrastructure at 'ttraff.cc'. The document body, though heavily obfuscated, contains text referencing 'Everest base camp packing list pdf' and the malicious redirector URL, suggesting a social engineering lure. The ML classifier strongly flagged this PDF as malicious. The primary attack vector appears to be directing users to a malicious redirector via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=everest%20base%20camp%20packing%20list%20pdf
    • http://kedivatab.valancourtbooks.com/uploads/1/3/1/3/131379578/bawamuj-vuxafatinajabos-dinotejudoged-dawidavapu.pdf
    • http://files.oldcountryleather.com/uploads/1/3/0/7/130739544/8570615.pdf
    • http://files.dioperez.com/uploads/1/3/1/4/131408741/7989140.pdf
    • http://files.meaningfulmovementproject.com/uploads/1/3/1/1/131164555/goxoxufilodo_roredegubilur_penitosivesujab.pdf
    • http://wosupof.southernohiovinyl.com/uploads/1/3/0/9/130969061/ca1e2146ea.pdf
    • https://cdn.shopify.com/s/files/1/0434/4859/8678/files/va_form_10-_10ezr_fillable.pdf
    • https://cdn.shopify.com/s/files/1/0435/2802/8312/files/accord_de_paris_cop21.pdf
    • https://cdn.shopify.com/s/files/1/0433/9102/5306/files/fanelovenamefejodis.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zeranosorijajigafa.pdf
    • https://cdn.shopify.com/s/files/1/0438/5167/7856/files/27515404284.pdf
    • https://cdn.shopify.com/s/files/1/0435/2226/1143/files/fixiruxifixixemavelop.pdf
    • https://cdn.shopify.com/s/files/1/0430/9060/8285/files/buvuzizesanelura.pdf
    • https://cdn.shopify.com/s/files/1/0438/7156/8040/files/62882451659.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mutim.pdf
    • https://cdn.shopify.com/s/files/1/0435/3458/1911/files/manimozomufefeperafavawe.pdf
    • https://cdn.shopify.com/s/files/1/0433/4023/4911/files/anoreksiya_nervoza_beslenme_tedavisi.pdf
    • https://cdn.shopify.com/s/files/1/0437/3980/7893/files/wujevafojo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000828a.bin
46c8b2b8caa1182b720cab247ce7abacbd1704214c4dad0f8febd4bfc5138395		 pdf-font-stream PDF embedded font (sfnt) at offset 0x828A 5696 bytes
font_01_sfnt_off000095d6.bin
0713a42fd5e73d5e97f0dc6a61165f65474806a82ba027fd4b9c9f13cb1243a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95D6 10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.