Malicious PDF — malware analysis report

Static analysis result for SHA-256 d607b99ea41bdf3e…

MALICIOUS

PDF

58.7 KB Created: 2020-07-30 13:12:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c5760999ffbdb1ebe7a6b33a655b08a1 SHA-1: b4b601ffb844b7432435d753050a85983b0e6b68 SHA-256: d607b99ea41bdf3e26a2ee2cb731639612673f2d4c8a2d873784ef127bc4cb41
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. This indicates the document's primary purpose is to lure users to a malicious site. The PDF also contains a large number of embedded links, many hosted on 'cdn.shopify.com', suggesting a link farm or SEO poisoning tactic to improve search engine visibility for malicious content. No scripts were extracted, but the presence of the malicious redirector is sufficient evidence of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=angularjs%20interview%20questions%20and%20answers%20for%20experienced%20pdf
    • http://files.ubecbyrani.com/uploads/1/3/1/0/131070166/zakagopi_fobokefedopedaf.pdf
    • http://files.neenahpowerlifting.com/uploads/1/3/0/8/130813095/pexukof_ruvow_mebirena.pdf
    • http://files.illinoisdelta.org/uploads/1/3/1/6/131607027/dc78cf9e9772b.pdf
    • http://files.ppesafetycompliance.com/uploads/1/3/1/3/131379948/9991122.pdf
    • https://cdn.shopify.com/s/files/1/0440/8731/2534/files/11380712263.pdf
    • https://cdn.shopify.com/s/files/1/0431/9356/5342/files/pagubimalafoba.pdf
    • https://cdn.shopify.com/s/files/1/0430/0413/3525/files/gebepipawemof.pdf
    • https://cdn.shopify.com/s/files/1/0434/5154/7800/files/kozojorarupurifibew.pdf
    • https://cdn.shopify.com/s/files/1/0438/6825/8469/files/94393203318.pdf
    • https://cdn.shopify.com/s/files/1/0432/3662/2498/files/livumunodewinewevodive.pdf
    • https://cdn.shopify.com/s/files/1/0431/1678/9927/files/nesutipidumapebefifot.pdf
    • https://cdn.shopify.com/s/files/1/0433/3076/4968/files/44392347671.pdf
    • https://cdn.shopify.com/s/files/1/0434/0659/0106/files/46094684455.pdf
    • https://cdn.shopify.com/s/files/1/0431/6977/5782/files/xujuxiredesoso.pdf
    • https://cdn.shopify.com/s/files/1/0433/2614/4670/files/62311460276.pdf
    • https://cdn.shopify.com/s/files/1/0433/6176/3480/files/pasejuxomokisu.pdf
    • https://cdn.shopify.com/s/files/1/0432/6031/3763/files/76989613304.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0434/5154/7800/file

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a3e2.bin
faa7dfc4cdff8ad71514c17f6a3acaba33776d3dfd4db1d81e8ce56fd6d99e07		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3E2 5616 bytes
font_01_sfnt_off0000b71d.bin
64d1f4ec0aed02274b62fcaaa180535af92c7397ce276e7a098943b809b7d095		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB71D 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.