Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad9bd6dc164114e3…

MALICIOUS

PDF

62.8 KB Created: 2020-08-05 01:47:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ca8931fb52b957dfc36bacbbb2633a82 SHA-1: 9a393295f03e6fcc10aebc1e61484b0d56b4df4c SHA-256: ad9bd6dc164114e3810b30dd6f58bc0dfec7fba752bff4b4904c60c54d6ce2ad
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on 'cdn.shopify.com', likely for SEO manipulation to improve search engine ranking for malicious content. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the same URL found in the redirector link, suggesting it's the primary lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=robotium+automated+testing+for+android+pdf
    • http://files.lamarrministriesllc.com/uploads/1/3/0/8/130814676/monen.pdf
    • http://files.peaceloveandhairsalon.com/uploads/1/3/1/8/131871909/3927389.pdf
    • http://files.innovationsbuildingservices.com/uploads/1/3/1/4/131438741/3ca2f8128cf.pdf
    • http://files.harveycornphotography.com/uploads/1/3/2/7/132740923/5883397.pdf
    • http://files.drchassereau.com/uploads/1/3/2/3/132303010/petafo.pdf
    • https://cdn.shopify.com/s/files/1/0433/4521/5656/files/da_capo_music_definition.pdf
    • https://cdn.shopify.com/s/files/1/0432/2295/8248/files/beduxadesewun.pdf
    • https://cdn.shopify.com/s/files/1/0427/5775/0951/files/52328662697.pdf
    • https://cdn.shopify.com/s/files/1/0433/2208/1448/files/72554887759.pdf
    • https://cdn.shopify.com/s/files/1/0432/7617/3472/files/91072096464.pdf
    • https://cdn.shopify.com/s/files/1/0432/3033/1039/files/40369321391.pdf
    • https://cdn.shopify.com/s/files/1/0428/4622/4551/files/12988173595.pdf
    • https://cdn.shopify.com/s/files/1/0431/2160/6818/files/48916409208.pdf
    • https://cdn.shopify.com/s/files/1/0432/3246/0960/files/zefukozew.pdf
    • https://cdn.shopify.com/s/files/1/0429/9679/3503/files/64272129234.pdf
    • https://cdn.shopify.com/s/files/1/0432/0195/3952/files/wafaxesanefaje.pdf
    • https://cdn.shopify.com/s/files/1/0434/0944/0924/files/stardew_valley_bundles_checklist.pdf
    • https://cdn.shopify.com/s/files/1/0440/7263/2470/files/chemical_oceanography.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0432/2295/8248/files/beduxadesew

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a7b0.bin
ad6a6956adde29a652f8e2546a850645cc1e71b235bbd8292dc885ea538169dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7B0 5476 bytes
font_01_sfnt_off0000ba3b.bin
26e4681360ba058988145cdc4795159c22745092285e37160999b88d97750753		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA3B 17260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.