Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccb6dd672c57d6ba…

MALICIOUS

PDF

216.0 KB Created: 2020-09-01 14:47:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dcd4c2873c65147a7cc08b7719d43cb6 SHA-1: ddfcea42bb101c3b80ee35e90475461e636cfa15 SHA-256: ccb6dd672c57d6ba7b2f6d42edf43df5b3172e5788fc0bc871e1a424744d4273
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating a link to known malicious redirector infrastructure. The embedded URL, 'https://ttraff.link/wix?keyword=kindaichi+case+files+episodes', is the primary indicator of malicious intent, likely serving as a lure to a phishing or malware distribution page. No scripts were extracted, but the presence of the malicious URL is sufficient evidence for this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=kindaichi+case+files+episodes
    • https://cdn.shopify.com/s/files/1/0431/3799/0805/files/neoplasia_endocrina_multipla_tipo_1.pdf
    • https://cdn.shopify.com/s/files/1/0431/0096/2977/files/rinaxapirovolugodebovazor.pdf
    • https://cdn.shopify.com/s/files/1/0433/5478/3893/files/litokinuvirigiz.pdf
    • https://cdn.shopify.com/s/files/1/0431/1449/6161/files/eyes_text_emoji.pdf
    • https://static.usrfiles.com/ugd/de65f7_cea7e914bc7c46519b4a4f5191a15cd7.pdf
    • https://static.usrfiles.com/ugd/b8c837_4eff25d7850a40f7b91869aedce118a8.pdf
    • https://static.usrfiles.com/ugd/95089d_f8ea1d18f2144aadbb66f331cb8453cf.pdf
    • https://static.usrfiles.com/ugd/136d07_6cada06f35e94286877417ac7e4b1379.pdf
    • https://static.usrfiles.com/ugd/1f2646_5f46091384324824859ab76df19a9d3a.pdf
    • https://static.usrfiles.com/ugd/ce5d00_51a270fd73cc478c8cc0c6b61bb0fee0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00022555.bin
dddcbbfa5a0efc46b5752dc91522e8eab3d15ce1aa586d997488fcd0b2167901		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x22555 72464 bytes
font_01_sfnt_off0002fde6.bin
fc3519460dd8405d3ad5bba0b99cf397f5baf131aacd7b65944c64a29514fab1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FDE6 5116 bytes
font_02_sfnt_off00030f5c.bin
c1f8b52d212d7b7b6cb9191c839aea569f3e9fd34939065c0283343c9e21795e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30F5C 10372 bytes
font_03_sfnt_off000332d5.bin
45417294a18e71fd1fca4fb0a784277a01d17bc837ab489cde657aa9e638533d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x332D5 18536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.