Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa5957fd6cfda419…

MALICIOUS

PDF

101.5 KB Created: 2020-08-02 21:43:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f8a39e20931c98982fbe29b4e6e4f0ea SHA-1: 742adc2f37f753c285b605f9db0d863ee12d6f73 SHA-256: aa5957fd6cfda41976b6de23bfb45717ec0624ee7cb8ee82a7cfdfd0cf6a55fe
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. It also exhibits a PDF link farm heuristic, indicating a large number of outbound links, many hosted on Shopify. The embedded URL in the document body also resolves to the malicious 'ttraff.com' domain. This suggests the document's primary purpose is to lure users to malicious sites, likely for phishing or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=centurylink+ip+address
    • http://files.ladybosscoachchristine.com/uploads/1/3/0/7/130776674/batopote_takowelogane_dagipuxiku_zudaniwe.pdf
    • http://files.debbieandriullidesigns.com/uploads/1/3/0/7/130775840/videvorosogas_patomosa_xerusovi_dugadoxa.pdf
    • http://files.rewoca.org/uploads/1/3/0/9/130969594/537429772e.pdf
    • https://cdn.shopify.com/s/files/1/0436/0699/9203/files/mezonuliki.pdf
    • https://cdn.shopify.com/s/files/1/0429/8421/0583/files/gb_country_code.pdf
    • https://cdn.shopify.com/s/files/1/0432/5625/0525/files/60748785284.pdf
    • https://cdn.shopify.com/s/files/1/0435/3051/8682/files/87777429218.pdf
    • https://cdn.shopify.com/s/files/1/0434/4306/0901/files/gojozubozisurulesujul.pdf
    • https://cdn.shopify.com/s/files/1/0435/1574/0314/files/88738938935.pdf
    • https://cdn.shopify.com/s/files/1/0434/8149/7766/files/danuse.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/80884551140.pdf
    • https://cdn.shopify.com/s/files/1/0432/6876/7912/files/55730156876.pdf
    • https://cdn.shopify.com/s/files/1/0431/6066/6274/files/91992227395.pdf
    • https://cdn.shopify.com/s/files/1/0437/8283/2280/files/xijibunikavirix.pdf
    • https://cdn.shopify.com/s/files/1/0431/5742/2229/files/68917619555.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013789.bin
249df522d8b216bd8091999ed95a9bdd3537a2a3c09da21770beb3af8f3d9688		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13789 4916 bytes
font_01_sfnt_off00014849.bin
095d25f5751a9d95f7e6b8d2af1fcfa879a850d7563134729704094de95ad6a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14849 16728 bytes
font_02_sfnt_off00017ae1.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17AE1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.