Malicious PDF — malware analysis report

Static analysis result for SHA-256 b76ade4c00354141…

MALICIOUS

PDF

48.5 KB Created: 2020-07-22 21:48:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1570b4b496ff3037bfa7f6b25de9461d SHA-1: 3e79cfc7275cfd929ad23e42c9ded0adb60f01a0 SHA-256: b76ade4c003541414f75805455a23b0bad0d1f5118216d9b26280eb87fbd5b36
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by a machine learning model and heuristics indicate it contains a malicious redirector link and a large number of embedded links, suggesting a link farm for SEO poisoning or phishing. The primary malicious URL identified is ttraff.cc, which is known for redirecting to malicious content. The document body contains garbled text, indicating it is not intended for human consumption but rather as a container for malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=ryobi%20inflator%20deflator%20manual
    • http://files.pccinscape.com/uploads/1/3/1/3/131383553/gatowazona.pdf
    • http://files.argemployee.com/uploads/1/3/1/8/131856827/a33f5b16.pdf
    • http://files.budsdoobieclips.com/uploads/1/3/0/8/130874120/ronajepoxoketo.pdf
    • https://cdn.shopify.com/s/files/1/0434/8493/8390/files/gizebilunevugekid.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/43106273748.pdf
    • https://cdn.shopify.com/s/files/1/0429/6137/1290/files/favawusasiwipamata.pdf
    • https://cdn.shopify.com/s/files/1/0433/6690/8063/files/kenojenif.pdf
    • https://gosigisor.files.wordpress.com/2020/07/52296803786.pdf
    • https://derexomej.files.wordpress.com/2020/06/medituxarijaneribujaxow.pdf
    • https://miwegakumu.files.wordpress.com/2020/06/53005273128.pdf
    • https://rezosoxidev.files.wordpress.com/2020/07/pujesigutovilokapetawedi.pdf
    • https://xojusapa.files.wordpress.com/2020/06/3474564982.pdf
    • https://cdn.shopify.com/s/files/1/0430/7088/1946/files/22394162669.pdf
    • https://cdn.shopify.com/s/files/1/0432/7473/1685/files/61562307315.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/fokadexowigexavutezirero.pdf
    • https://cdn.shopify.com/s/files/1/0429/8450/5498/files/wagew.pdf
    • https://cdn.shopify.com/s/files/1/0430/1219/4457/files/nawuzodasubupin.pdf
    • https://cdn.shopify.com/s/files/1/0429/4891/9450/files/xelunuribotipogimot.pdf
    • https://cdn.shopify.com/s/files/1/0429/2945/5271/files/39490704558.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/42539854631.pdf
    • https://cdn.shopify.com/s/files/1/0430/8077/7882/files/42416793354.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d73.bin
95f6763b6da83b4b5c7cee9fcb8588d3a48decf436d8dba0447047e1abd6e133		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D73 5004 bytes
font_01_sfnt_off00008e58.bin
4b9d45293ad645aa146d6287fac9f09381c21e04e6df23200dd1dfccc220bb5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E58 10732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.