Malicious PDF — malware analysis report

Static analysis result for SHA-256 9554dfbb8bf15698…

MALICIOUS

PDF

43.1 KB Created: 2020-09-20 20:32:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: db4264365199094291b857a704c63a22 SHA-1: d8676754a8abc64346c6a6bbc4290f3f25e29111 SHA-256: 9554dfbb8bf15698b01d5e8bd115b7892f1dfdfc3c904248c13f94a3ae11a0fd
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

This PDF file was flagged as malicious by an ML classifier and contains a large number of embedded links. One of these links, https://ttraff.club/wix?keyword=tour+guide+script+in+cebu, points to known malicious redirector infrastructure. The document body, though heavily obfuscated, also contains this URL and numerous other links to PDF files hosted on Shopify and other file-sharing services, suggesting a link farm or redirection scheme. The primary attack pattern appears to be the distribution of malicious content or SEO manipulation through a dense network of links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=tour+guide+script+in+cebu
    • https://cdn.shopify.com/s/files/1/0465/0821/2374/files/momo_granny_scary_house_apk.pdf
    • https://cdn.shopify.com/s/files/1/0436/2112/2211/files/size_distance_relationship.pdf
    • https://cdn.shopify.com/s/files/1/0431/0145/4500/files/computer_networks_interview_questions.pdf
    • https://ea6c0eed-46d8-4b42-b016-9dca16cb38e8.filesusr.com/ugd/6fd45c_34cdea55f38749d385900e3c2a87516d.pdf?index=true
    • https://b5db7cdd-df09-4411-919b-c2e66c25d67c.filesusr.com/ugd/89064d_a94e77babe6c4a4fab03d05cce6717c3.pdf?index=true
    • https://e57462ce-18ea-43d0-acf5-87eef9e81bae.filesusr.com/ugd/440e29_ade90a54c7be4494998d09b2d5ce5a48.pdf?index=true
    • https://201e7374-b35d-4590-9966-ef9f76e8ba5c.filesusr.com/ugd/824332_4269c0f05b654fe58c4331e34a29eebd.pdf?index=true
    • https://32f47405-4cb0-44f2-9b3a-c03dbc47324e.filesusr.com/ugd/83e24f_651cc9ed77d3460c91d5cdf02a45c9e1.pdf?index=true
    • https://5cca12a8-23e9-4fdf-b2d5-c6449bfc5ddb.filesusr.com/ugd/843280_4fa6ff622f65430fb7d1b48874831ce0.pdf?index=true
    • https://a60764fa-0c33-433e-8327-0b27261e57dc.filesusr.com/ugd/d8966e_8cf8a50ee63646bb98310a35cdc4b28d.pdf?index=true
    • https://9d9bba3f-57d0-4a6e-8fdb-256b3cdf3713.filesusr.com/ugd/8db125_00129b15f65c49ef89ea90cbd0ea1514.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ab4.bin
a03f68b2113ec848d4097e1316f7e515d5e5b3c9da1822e884cc5b55d739e15d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AB4 5088 bytes
font_01_sfnt_off00007c10.bin
61966923039e8720a5fa807989bd5fa6338c3066ebd7d854478b584267deea6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C10 10628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.