Malicious PDF — malware analysis report

Static analysis result for SHA-256 90c305e6e3869845…

MALICIOUS

PDF

64.5 KB Created: 2020-07-31 14:52:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d419646707062d5b5c4191ff563c889e SHA-1: 0ce01e7d8e9d050356a39b51110d1ecf13721c9e SHA-256: 90c305e6e3869845fe81180b9a3da9217f5d1322deeb9ff433b377209e9079e6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many hosted on Shopify. The ML classifier also strongly indicated maliciousness. The document body appears to be malformed or obfuscated, preventing a clear understanding of its content, but the presence of the malicious redirector is sufficient evidence of a malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=auditory+system+pdf
    • http://files.pflagblueridge.org/uploads/1/3/1/8/131857983/9879802.pdf
    • http://files.glutenaciouslife.com/uploads/1/3/1/4/131438180/jibugazubasa_gedufutelesodo_pidawadexinomil_gijisakurujubuj.pdf
    • http://files.bluejacketjamboree.org/uploads/1/3/0/8/130814120/kawuvev.pdf
    • http://files.baln.org/uploads/1/3/0/7/130776445/kexapabonasawufa.pdf
    • https://cdn.shopify.com/s/files/1/0432/1073/5780/files/12328969554.pdf
    • https://cdn.shopify.com/s/files/1/0430/9975/0560/files/58705247483.pdf
    • https://cdn.shopify.com/s/files/1/0428/2312/3100/files/gizomiwag.pdf
    • https://cdn.shopify.com/s/files/1/0427/6341/9814/files/3177492625.pdf
    • https://cdn.shopify.com/s/files/1/0427/6197/8023/files/japegurorajizoz.pdf
    • https://cdn.shopify.com/s/files/1/0430/2327/0042/files/69689426965.pdf
    • https://cdn.shopify.com/s/files/1/0428/3321/5644/files/9403172127.pdf
    • https://cdn.shopify.com/s/files/1/0428/0313/4627/files/9895274684.pdf
    • https://cdn.shopify.com/s/files/1/0437/1313/4757/files/7380141071.pdf
    • https://cdn.shopify.com/s/files/1/0435/2340/8032/files/rosigezudogovezuk.pdf
    • https://cdn.shopify.com/s/files/1/0431/1092/4437/files/lerozesozomuz.pdf
    • https://cdn.shopify.com/s/files/1/0434/4040/6684/files/92409776037.pdf
    • https://cdn.shopify.com/s/files/1/0433/9567/8359/files/fewokifagawuxa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c094.bin
c702b21cac7ef0518c13eb8f90226f73b60c92bf5855806f71cef9c45e2be891		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC094 4812 bytes
font_01_sfnt_off0000d100.bin
3f8c1c34db2c9b74ecbadc585b97d3b9f5669d6b799f72d7fbd7e2c06a486579		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD100 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.