Malicious PDF — malware analysis report

Static analysis result for SHA-256 aef45d11952d40e4…

MALICIOUS

PDF

50.9 KB Created: 2020-08-24 12:53:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e06efe2eaafaa3ded04e92e2e266f864 SHA-1: dfc3bd3f6d8b4636be7767265aa93eda993c2d44 SHA-256: aef45d11952d40e40cf0879ff7d86c429f1230a29bb2f9f38b1b7236e355c66d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, many of which point to a link farm hosted on cdn.shopify.com, likely for SEO poisoning. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used to lure users into downloading content by promising a movie. The document body, though heavily obfuscated, contains the same malicious URL and references to movie downloads, reinforcing the lure. No scripts were extracted, but the primary attack vector is the malicious redirector link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=american+sniper+2014+full+movie++300mb
    • http://files.jeffdirects.com/uploads/1/3/1/0/131070109/dejaguki.pdf
    • http://files.ac-storyboards.com/uploads/1/3/1/4/131437657/008895fe042a.pdf
    • https://cdn.shopify.com/s/files/1/0429/3260/0985/files/activesync._t-_online._de_outlook_android.pdf
    • https://cdn.shopify.com/s/files/1/0431/5820/8674/files/85115474822.pdf
    • https://cdn.shopify.com/s/files/1/0466/3377/9365/files/57151860109.pdf
    • https://cdn.shopify.com/s/files/1/0434/1720/6949/files/17176054719.pdf
    • https://cdn.shopify.com/s/files/1/0465/2456/3614/files/avast_antivirus_android_review.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/musigusuwekun.pdf
    • https://cdn.shopify.com/s/files/1/0429/2381/9164/files/59004432232.pdf
    • https://cdn.shopify.com/s/files/1/0429/3646/7619/files/movenetofabo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xibirinadinabamagumib.pdf
    • https://cdn.shopify.com/s/files/1/0436/1850/0765/files/zobigoxe.pdf
    • https://cdn.shopify.com/s/files/1/0429/6481/1927/files/vatiwazegutizapop.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005274.bin
94cd4199a6eabacb808968f1f9e676bf947677c8ac92630e56e9ceaea5d801e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5274 5928 bytes
font_01_sfnt_off00006689.bin
87985804ebf98b1030980f20b4e39595e1aa76caccafc3e7d64f2ca02509db1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6689 20968 bytes
font_02_sfnt_off000086ba.bin
5e0676e134781f2a21c06a0d045eebc95ad2f72f5ed7fc876ffdcead7ccbe471		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86BA 2276 bytes
font_03_sfnt_off00009084.bin
6353c8a9f1d1b874bc4081bc4088c3af8a605a875ed9d49906e31f4a0641c421		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9084 10656 bytes
font_04_sfnt_off0000b4d3.bin
e5f30af547b55dfbbae63869c45e93d04e829a64999393572a2275da8290585e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB4D3 2056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.