Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2ceb32ce4ee69ca…

MALICIOUS

PDF

39.3 KB Created: 2020-08-31 20:49:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ccb96f0eeee71a9af65734e5e133e5cc SHA-1: 3d6737769d6bd79e011ddc829904bcb2e1648696 SHA-256: a2ceb32ce4ee69ca1e305e46df253d04fd05c4aca41a6b729d90d37c947c5d0b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier as malicious and contains a critical heuristic indicating it links to known malicious redirector infrastructure. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs pointing to external PDF documents. The primary malicious URL identified is https://ttraff.com/wix?keyword=certificate+format+for+project+in+word, which is likely used to redirect users to a malicious site. The document body itself is heavily obfuscated and contains no readable content, further suggesting a malicious intent behind the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=certificate+format+for+project+in+word
    • https://static.usrfiles.com/ugd/b8c837_25543622b9ae4d07bb1ea74336628cf4.pdf
    • https://static.usrfiles.com/ugd/b8c837_867dfd62903a4df59efb9f9b30a9b231.pdf
    • https://static.usrfiles.com/ugd/b8c837_33ed2aa250824ee2b529c83309b153c1.pdf
    • https://static.usrfiles.com/ugd/cafc24_3c50e81b26c14cf7bb13f93b959c09d3.pdf
    • https://cdn.shopify.com/s/files/1/0434/8028/5348/files/anchoring_script_in_marathi_for_freshers_party.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/80170273674.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kivamusefelozadadazub.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/womonevixaxijebuvi.pdf
    • https://cdn.shopify.com/s/files/1/0437/7909/6728/files/51146192467.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005aef.bin
9283149257838fd67981e08557a8e117a898a0ff4812a70215bd94ba98dceee7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AEF 5164 bytes
font_01_sfnt_off00006c7a.bin
7f84663287fb39bc3d5d30cfb170762fefe22bd9a6a60f94d6fc66e1e3571699		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C7A 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.