Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6764825900d45c5…

MALICIOUS

PDF

69.9 KB Created: 2020-08-22 04:58:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0481fd4be2baf5fa98c576ed734e54e SHA-1: 40938cd5e124807c0ce551d875ba4e9132ad22af SHA-256: c6764825900d45c59eec6c9d86b08a45a214a01341bf4c3ab54c5fdd3e67b0d7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious by a machine learning model and contains a significant number of embedded links. One critical heuristic identified a link to a known malicious redirector service, ttraff.com, which likely serves as a lure for phishing or malware delivery. The document also exhibits characteristics of a link farm, with many URLs pointing to Shopify-hosted PDFs, suggesting an attempt to manipulate search engine results or distribute content broadly. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=d%2526+d+monk+guide+5e
    • http://files.markwarrencoleman.com/uploads/1/3/0/8/130814680/ziluwalomare.pdf
    • http://files.dariodidonato.com/uploads/1/3/1/1/131164250/e9055f.pdf
    • http://files.almeria-estates-and-realty.com/uploads/1/3/1/4/131437351/fefozo.pdf
    • http://files.novelsf.com/uploads/1/3/1/4/131483550/mataxopawowojuvuba.pdf
    • http://files.asrpci.org/uploads/1/3/0/8/130814676/bevitifeni-sinagipifanelo.pdf
    • https://cdn.shopify.com/s/files/1/0437/8938/5885/files/xajibovigujaj.pdf
    • https://cdn.shopify.com/s/files/1/0437/3122/2677/files/holt_science_and_technology_physical_science_textbook.pdf
    • https://cdn.shopify.com/s/files/1/0436/9838/9145/files/48129870448.pdf
    • https://cdn.shopify.com/s/files/1/0428/3046/3135/files/31464109792.pdf
    • https://cdn.shopify.com/s/files/1/0431/2799/6565/files/popaporovetab.pdf
    • https://cdn.shopify.com/s/files/1/0429/4190/7110/files/tamaganatafedojej.pdf
    • https://cdn.shopify.com/s/files/1/0432/7142/2102/files/mugevevewoseg.pdf
    • https://cdn.shopify.com/s/files/1/0436/3150/9664/files/zilivizimep.pdf
    • https://cdn.shopify.com/s/files/1/0439/2163/7544/files/41079937788.pdf
    • https://cdn.shopify.com/s/files/1/0432/0703/2990/files/80931681546.pdf
    • https://cdn.shopify.com/s/files/1/0431/6859/6124/files/texojegot.pdf
    • https://cdn.shopify.com/s/files/1/0430/1094/9273/files/7414527111.pdf
    • https://cdn.shopify.com/s/files/1/0430/4610/9341/files/76689627023.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000700a.bin
77db61ef5180589f8aa115641cb2bd4aea57415b2070ee90626b0d4e29fde502		 pdf-font-stream PDF embedded font (sfnt) at offset 0x700A 6596 bytes
font_01_sfnt_off0000804f.bin
a5b279f02d72b9a9f90a20f4d0ea34bc529691a211e0332fc8c824e18e1de280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x804F 3148 bytes
font_02_sfnt_off00008b8e.bin
f160675c5580dff3c73b34ff7910be5a3b332df7dca2dd9ff89af35a2593c860		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B8E 4156 bytes
font_03_sfnt_off0000997b.bin
5b9628e4dce825d9a75eb6ecfd2f53d6044f55cd2d2d1f787b33c43dc16d3c67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x997B 6224 bytes
font_04_sfnt_off0000a8a1.bin
7346af63be269dad8da68491820160c145a48e0579501f50302a21e5147180bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8A1 20444 bytes
font_05_sfnt_off0000e3d9.bin
44769919e113f321e71240e0f7da55f1f3a365acef9016667d5dbee46ef85b1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3D9 16304 bytes
font_06_sfnt_off0000f99c.bin
0692d07488ade8912a6091c6bdc6549204911174be285f4eb21d1be1e0dfe440		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF99C 6160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.