Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9e8682f96a875f5…

MALICIOUS

PDF

46.2 KB Created: 2020-07-26 06:27:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c8903eb57dcd3b37572ad567dc961569 SHA-1: dc8cd696b150aa7c09401d7ae2b63f7b17fba439 SHA-256: d9e8682f96a875f510c8d508c3fc8f3b5f04a326e53e2e2a790a9c1ddd0a5095
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, which is indicative of a link farm for SEO manipulation. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is likely the primary malicious payload delivery mechanism. The document body, though heavily obfuscated, contains text related to 'maths worksheets', suggesting a lure to disguise the malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=grade+3+maths+worksheets+uk
    • http://files.langsidechurch.org/uploads/1/3/2/6/132695332/kekelo.pdf
    • http://files.achswritersweek.com/uploads/1/3/2/7/132740270/vutetamowike-loparivukagitel-nupidiki.pdf
    • http://files.wifie.org.uk/uploads/1/3/0/8/130873944/tazirabavinifiku.pdf
    • http://files.wifie.org.uk/uploads/1/3/0/8/130873944/t
    • https://cdn.shopify.com/s/files/1/0437/7391/9393/files/nopuzusazupatotemazepe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/damegadunuje.pdf
    • https://cdn.shopify.com/s/files/1/0437/1080/8216/files/punifasopowojuwinorole.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/94662163826.pdf
    • https://cdn.shopify.com/s/files/1/0433/9197/5580/files/24758848441.pdf
    • https://cdn.shopify.com/s/files/1/0430/3365/7507/files/xatilosozidewizepol.pdf
    • https://cdn.shopify.com/s/files/1/0431/0673/0144/files/pimivusidoxamuvoj.pdf
    • https://cdn.shopify.com/s/files/1/0427/8448/9631/files/wowexer.pdf
    • https://cdn.shopify.com/s/files/1/0430/2897/1681/files/betakapavumiwarixosamovav.pdf
    • https://cdn.shopify.com/s/files/1/0432/0778/6654/files/pelukasurotiwaxosopodewo.pdf
    • https://cdn.shopify.com/s/files/1/0433/8545/4757/files/gitosipawugutiwi.pdf
    • https://cdn.shopify.com/s/files/1/0431/5352/2850/files/vudowadomovusulimapelewow.pdf
    • https://cdn.shopify.com/s/files/1/0432/2436/7262/files/57770462823.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076a5.bin
8ef28727e2ffddb23fc2ea0d91fb325e7347cc85ef82cb4d2b96535ddb88ac58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76A5 5112 bytes
font_01_sfnt_off0000881f.bin
31b7c956152c20391a7a3fc86aa2de959395a1f8e8d65f68fe143168e6e13997		 pdf-font-stream PDF embedded font (sfnt) at offset 0x881F 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.