Malicious PDF — malware analysis report

Static analysis result for SHA-256 d69357472d7324a9…

MALICIOUS

PDF

64.7 KB Created: 2020-08-04 01:06:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2bc06a5c71553a0f572407c5d6b00235 SHA-1: b05e9b5325256e61d58ef7e8b7ff9c3602be5f41 SHA-256: d69357472d7324a9b02294c30c634b59a7ad76a4c9f5779efe238e75f02e4d94
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link pointing to 'ttraff.com', which is designed to lure users into clicking it. The document body, though heavily obfuscated, contains text related to 'alt code for check mark in pdf' and references the redirector URL. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on 'cdn.shopify.com', suggesting an attempt to generate traffic or SEO manipulation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=alt+code+for+check+mark+in+pdf
    • http://files.garryoak.info/uploads/1/3/1/4/131410094/c9116763d2.pdf
    • http://files.shanemmartin.com/uploads/1/3/1/4/131409508/6772488.pdf
    • http://files.aishasuniquecosmetics.com/uploads/1/3/0/7/130775084/zelatitemutoj.pdf
    • http://files.emts.co.uk/uploads/1/3/1/8/131871614/susekexewo-genibijuj-retufida-kenogigedoj.pdf
    • http://files.shanemmartin.com/uploa
    • https://cdn.shopify.com/s/files/1/0435/9448/1821/files/gumokezapafofutewidelamo.pdf
    • https://cdn.shopify.com/s/files/1/0429/9853/0202/files/astellas_logo.pdf
    • https://cdn.shopify.com/s/files/1/0440/5651/0616/files/90731095420.pdf
    • https://cdn.shopify.com/s/files/1/0434/3015/0309/files/35221643580.pdf
    • https://cdn.shopify.com/s/files/1/0432/3259/2040/files/98512876918.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7287/files/loxazasaba.pdf
    • https://cdn.shopify.com/s/files/1/0440/3098/4357/files/larojipubusukevekidemekik.pdf
    • https://cdn.shopify.com/s/files/1/0433/0268/2789/files/tutakogobivifonolanu.pdf
    • https://cdn.shopify.com/s/files/1/0434/5298/9607/files/numbers_in_words_1_to_1000_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/1561/8203/files/penemebazopasenitixedu.pdf
    • https://cdn.shopify.com/s/files/1/0437/5052/3029/files/list_of_members_of_afrikaner_broederbond.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mefiwi.pdf
    • https://cdn.shopify.com/s/files/1/0435/8265/2579/files/minecraft_realms_error_500.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e73.bin
d4f61b61af8601229a997fb2c16e3962faefae0758d0ab55f11ca6dc3998ae32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E73 6904 bytes
font_01_sfnt_off00007ff5.bin
ffbb643e35f91d7d00bf22e7018ba6e8a0aa13f4b8fce5ef50cd3a6c03701b9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FF5 5060 bytes
font_02_sfnt_off000090e1.bin
51d2b44f64098763575402775c78e1ac2c30f0a0b4b9a72e6f6fd6aa23abadbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90E1 3220 bytes
font_03_sfnt_off00009dc5.bin
27cfa07d4aca32e04446935b64a650c888a2fa8184e51e9629c06d11e60a1ff8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DC5 14472 bytes
font_04_sfnt_off0000cb24.bin
f33f0ffb81312becb40d2a295c019163f251ca589ab4802f8f49cfd88e3c7a6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB24 17148 bytes
font_05_sfnt_off0000e3bc.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3BC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.