Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccd8ef006e9ad697…

MALICIOUS

PDF

39.9 KB Created: 2020-08-08 10:40:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 09a9ac6671b51e5ec3477d84f8026dea SHA-1: 08ba2b697da6dca35d396c668ad71bfa297108e4 SHA-256: ccd8ef006e9ad697e5c7b740e057e353a50a8c830e7f6ef1f6514ec368d3b6b6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

This PDF document exhibits characteristics of a link farm, embedding a large number of URLs designed to manipulate search engine results and redirect users to malicious infrastructure. The primary malicious redirector identified is 'ttraff.ru'. While no scripts were extracted, the PDF structure and embedded links strongly suggest a phishing or redirection attack. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=illinois+corporation+annual+report+pdf
    • http://files.plasynant.cymru/uploads/1/3/1/4/131407625/1376472.pdf
    • http://files.burchfieldhomestead.com/uploads/1/3/1/0/131070774/6559606.pdf
    • http://files.naicob.org/uploads/1/3/0/8/130814065/f842d85782c.pdf
    • http://files.weisbeckerscholarshipfund.com/uploads/1/3/1/4/131437778/mubozefakarufuz.pdf
    • http://files.dnypusa.com/uploads/1/3/1/4/131407274/2604631.pdf
    • https://cdn.shopify.com/s/files/1/0429/7608/4117/files/34315329229.pdf
    • https://cdn.shopify.com/s/files/1/0433/6621/9941/files/govikesijulufusen.pdf
    • https://cdn.shopify.com/s/files/1/0434/8428/3033/files/narafefafob.pdf
    • https://cdn.shopify.com/s/files/1/0431/2681/6932/files/nidorino_gen_4_learnset.pdf
    • https://cdn.shopify.com/s/files/1/0431/8160/5018/files/diferencia_entre_artrosis_y_artritis.pdf
    • https://cdn.shopify.com/s/files/1/0432/0890/0772/files/69629584875.pdf
    • https://cdn.shopify.com/s/files/1/0431/4683/8173/files/convert_file_ke_word.pdf
    • https://cdn.shopify.com/s/files/1/0434/7294/5312/files/56542710544.pdf
    • https://cdn.shopify.com/s/files/1/0429/8843/7655/files/32527532994.pdf
    • https://cdn.shopify.com/s/files/1/0436/2207/2480/files/47776012653.pdf
    • https://cdn.shopify.com/s/files/1/0434/1409/3986/files/antrag_baukindergeld_brandenburg.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kuvesagapixunijibofalase.pdf
    • https://cdn.shopify.com/s/files/1/0438/4686/0960/files/ar-_15_exploded_parts_diagram.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005eb7.bin
51c0fab946c9ef5f76ae6898e195a4ea7e4da9944bc79feafa4a044567ace9af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EB7 5088 bytes
font_01_sfnt_off00007010.bin
a51a3962db0b28b60a73914e98bed6812f6e2ade49bf727ab2e6b5914d9e496e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7010 10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.