Malicious PDF — malware analysis report

Static analysis result for SHA-256 a01302c214787466…

MALICIOUS

PDF

48.5 KB Created: 2020-08-11 19:27:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1913541eb522e92a854b4fe664bde695 SHA-1: 6c2a55bca21af5eec78bce9097b03fc003f8040f SHA-256: a01302c214787466000b15e7ff1e08b10a79ef06f07ec0f7a704bf1686381f38
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify domains, but also includes a critical redirector link to 'ttraff.cc'. This suggests a link farm or SEO manipulation tactic designed to lead users to malicious content. The ML classifier strongly supports the malicious nature of this PDF. No scripts were extracted, so the exact payload delivery mechanism beyond the redirector is not discernible.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bhagavad+gita+pdf+sanskrit
    • http://files.calsmun.com/uploads/1/3/0/9/130969352/803057.pdf
    • http://files.woodridgeswimclub.net/uploads/1/3/1/3/131383754/minagosawupazud.pdf
    • http://vurupan.unholyknowledge.com/uploads/1/3/0/8/130874524/1763432.pdf
    • http://files.browndogbiking.com/uploads/1/3/1/4/131452944/761faa.pdf
    • http://files.jenaforryaneyoga.com/uploads/1/3/2/3/132303270/pusewuzuboliti.pdf
    • https://cdn.shopify.com/s/files/1/0444/3347/3703/files/85486811567.pdf
    • https://cdn.shopify.com/s/files/1/0435/0754/8326/files/how_to_install_gtx_1060.pdf
    • https://cdn.shopify.com/s/files/1/0429/8365/3535/files/rukajawasunofusojirekeba.pdf
    • https://cdn.shopify.com/s/files/1/0433/9440/0423/files/biomateriales_dentales_libro.pdf
    • https://cdn.shopify.com/s/files/1/0429/8542/2997/files/51581856966.pdf
    • https://cdn.shopify.com/s/files/1/0437/0602/4101/files/31865277641.pdf
    • https://cdn.shopify.com/s/files/1/0428/8924/8927/files/pafegijurenira.pdf
    • https://cdn.shopify.com/s/files/1/0428/9721/1551/files/wixexavaxotel.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2960/files/minecraft_wild_west.pdf
    • https://cdn.shopify.com/s/files/1/0434/7609/1032/files/gigegituvobavese.pdf
    • https://cdn.shopify.com/s/files/1/0437/3171/4199/files/dexemivivejik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051c2.bin
99ae5423eda8f63dff2b2de182fea8f22e5d985b1377cc834899d5ee893c3133		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51C2 5444 bytes
font_01_sfnt_off00006451.bin
4063f1c5ecb0c6a2ac4b8a0f215aaf05769e932248e9ce126bb76a09778070f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6451 10432 bytes
font_02_sfnt_off000087e0.bin
43254c6337662e76ed67025008a42d76121bee43b935a85a5f582473253d5118		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87E0 16096 bytes
font_03_sfnt_off00009ce3.bin
fae0e90fafaff5ead438c4f159fcc2b46183b8629dd15dd873c54a2a54e5a2f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CE3 7064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.