Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4ffac0599699da7…

MALICIOUS

PDF

38.5 KB Created: 2020-08-30 15:58:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 20b3be4ac768570f6ac163fb978711a8 SHA-1: 35d8012201c2d35bb093cce5e5f6e13b68c752a1 SHA-256: c4ffac0599699da7137a1e26b5e5d0f70fb11b0c86660377fe3a113e36619d7d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a malicious link disguised as sheet music. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that the embedded URL, https://ttraff.me/wix?keyword=avengers+main+theme+sheet+music+piano, leads to known malicious infrastructure. Additionally, the PDF_SEO_LINK_FARM heuristic suggests a large number of outbound links, many of which point to benign Shopify domains, likely as a tactic to obscure the malicious URL. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=avengers+main+theme+sheet+music+piano
    • https://cdn.shopify.com/s/files/1/0431/9005/9157/files/malinowski_argonauts_of_the_western_pacific.pdf
    • https://cdn.shopify.com/s/files/1/0431/7852/4832/files/3444586113.pdf
    • https://cdn.shopify.com/s/files/1/0436/0473/8206/files/disusoteripetuzuraf.pdf
    • https://cdn.shopify.com/s/files/1/0433/7106/9594/files/51459513886.pdf
    • https://cdn.shopify.com/s/files/1/0431/3356/7125/files/pajapovililagew.pdf
    • https://cdn.shopify.com/s/files/1/0440/1928/6174/files/1902135759.pdf
    • https://cdn.shopify.com/s/files/1/0436/4078/3008/files/66964019284.pdf
    • https://cdn.shopify.com/s/files/1/0434/4581/3413/files/shopdog_sawhorse_plans.pdf
    • https://cdn.shopify.com/s/files/1/0431/3199/4280/files/somuluw.pdf
    • https://static.usrfiles.com/ugd/b8c837_07b7e67539e94b319f124c84ebc7e973.pdf
    • https://static.usrfiles.com/ugd/4826f5_d89474d6a66a4ed4b0aba8560a98e5a9.pdf
    • https://static.usrfiles.com/ugd/b8c837_42a8662ca4ad47a9b6d185786cad8943.pdf
    • https://static.usrfiles.com/ugd/865d50_89744cca5e304f628a8d197bb1813397.pdf
    • https://cdn.shopify.com/s/files/1/0427/4146/5244/files/72473087047.pdf
    • https://cdn.shopify.com/s/files/1/0431/7062/7735/files/capitulo_6a_prueba_6a-_2_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b03.bin
4ded31285a4078a5294d664d1492a78a4ef1666db4feb51c7951e28ba469ad6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B03 5248 bytes
font_01_sfnt_off00005caa.bin
65420c67e3a6bf01d3b8a3a6d9a5219e47503ff72e710e6c633c3efd42df22a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CAA 9988 bytes
font_02_sfnt_off00007ef1.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EF1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.