Malicious PDF — malware analysis report

Static analysis result for SHA-256 c02be3d88062cce3…

MALICIOUS

PDF

47.1 KB Created: 2020-08-21 10:03:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2f8e16d0545c85742903bbdc91c55555 SHA-1: d1db979b7bc4a5bd84c44872185bf54a102f9e71 SHA-256: c02be3d88062cce3e08d875d9631260e66b0b52c34ee1369c9ae6d50d0e9b8fa
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a significant number of embedded links, with a critical heuristic firing indicating a link farm pointing to a redirector. The primary malicious URL identified is ttraff.cc, which is known for redirecting to malicious content. The document body itself is heavily obfuscated but contains references to the same redirector URL, suggesting it's the intended lure. No scripts were extracted, limiting the analysis of direct execution capabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=android+action+bar+add+menu+programmatically
    • http://dabodawen.realfitwithbrookeb.com/uploads/1/3/0/9/130969868/wuzewimovojerevosar.pdf
    • https://cdn.shopify.com/s/files/1/0429/7572/3673/files/vozisosusamafidoboze.pdf
    • https://cdn.shopify.com/s/files/1/0431/4673/9868/files/kofekojigob.pdf
    • https://cdn.shopify.com/s/files/1/0435/4162/7029/files/experiment_3_calorimetry_lab_report.pdf
    • https://cdn.shopify.com/s/files/1/0435/6263/1326/files/zamirajizimuw.pdf
    • https://cdn.shopify.com/s/files/1/0430/0803/2922/files/tobigoxisesoxomum.pdf
    • https://cdn.shopify.com/s/files/1/0429/7093/9541/files/24834914035.pdf
    • https://cdn.shopify.com/s/files/1/0434/8549/5453/files/dewapuwururamedudonopoto.pdf
    • https://cdn.shopify.com/s/files/1/0449/8548/3422/files/27831818871.pdf
    • https://cdn.shopify.com/s/files/1/0430/5358/0441/files/72485959375.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e54.bin
86622e3abd701e4a7219ad6aed07f7c4eb27611f0bfc113f1e1e703ddcbe7e65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E54 5448 bytes
font_01_sfnt_off000080c4.bin
7537b41cee7142919a93bebf785c6b1e653bc340f9623089afbd4a30f5ccfcaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80C4 14644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.