Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7ed2beba2043c60…

MALICIOUS

PDF

31.8 KB Created: 2020-08-18 19:56:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc45c82eac639c4df79c45d91fa3a2c4 SHA-1: 39060ed6b7a00bc01efd534eceeabfcbed708a59 SHA-256: b7ed2beba2043c60ab0df5de17e81ec8623245550410b2f2112687714877e43c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector link to 'ttraff.com'. Another critical heuristic identified a PDF link farm, with many links pointing to Shopify domains. The ML classifier also flagged this PDF as malicious with high confidence. The document body, though heavily obfuscated, contains the malicious URL and references to other PDF files, reinforcing the link farm and redirection attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=lattice+math+template
    • http://files.thesummiteauclaire.com/uploads/1/3/1/1/131163684/sapitositodufewidot.pdf
    • https://cdn.shopify.com/s/files/1/0449/7106/5503/files/titutonobesaradij.pdf
    • https://cdn.shopify.com/s/files/1/0432/3131/4077/files/bedewegedez.pdf
    • https://cdn.shopify.com/s/files/1/0429/6704/0163/files/gifoxenug.pdf
    • https://cdn.shopify.com/s/files/1/0430/1943/6185/files/programa_para_unir_offline.pdf
    • https://cdn.shopify.com/s/files/1/0433/7431/3633/files/7226773480.pdf
    • https://cdn.shopify.com/s/files/1/0429/2132/8807/files/debubokubikadiseso.pdf
    • https://cdn.shopify.com/s/files/1/0437/8253/7365/files/install_dmg_on_mac.pdf
    • https://cdn.shopify.com/s/files/1/0431/1754/3588/files/18236374637.pdf
    • https://cdn.shopify.com/s/files/1/0433/1284/0872/files/ontological_assumptions.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004268.bin
88a95b3a592a591d8dda95d23f3f73685ae0bbcae801612326edebfc10b4713b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4268 4840 bytes
font_01_sfnt_off000052bc.bin
9c83935ce0aade52433fcf9219e19f7e38ade437c5c70cb8c1025bab1fb4023b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52BC 9508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.