Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbe27e7835e52cc6…

MALICIOUS

PDF

52.5 KB Created: 2020-08-15 22:41:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 11ec19351caa0c7e936ee801eadacc7e SHA-1: 266626729bd5b560fb8379dbd798c757945f8b66 SHA-256: dbe27e7835e52cc6d961aba410a00564a49b668c3094aa4965cb99999c48a3e2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.cc'. Additionally, it exhibits a PDF link farm with numerous external links, many hosted on Shopify, suggesting an attempt to obscure the true malicious destination. The ML classifier also flagged this PDF with high confidence. The primary attack pattern involves luring users through these links, likely leading to phishing or malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=arumbagi+mottagi+poovagi+video+songs
    • http://files.showtimetravelegency.com/uploads/1/3/0/9/130969543/gokorixuxat.pdf
    • http://zetevaxad.sylviezannier.com/uploads/1/3/1/4/131453934/getawotopit.pdf
    • https://cdn.shopify.com/s/files/1/0427/9782/6207/files/install_adobe_printer_mac.pdf
    • https://cdn.shopify.com/s/files/1/0427/6197/8023/files/28260544994.pdf
    • https://cdn.shopify.com/s/files/1/0440/7063/3624/files/28364037840.pdf
    • https://cdn.shopify.com/s/files/1/0434/3506/5510/files/xylitol_toxicity_in_dogs.pdf
    • https://cdn.shopify.com/s/files/1/0433/2178/6521/files/dezasizexopixotekako.pdf
    • https://cdn.shopify.com/s/files/1/0432/9085/3541/files/bizopesi.pdf
    • https://cdn.shopify.com/s/files/1/0431/1603/6257/files/soxevuvazojusoxovuxuxar.pdf
    • https://cdn.shopify.com/s/files/1/0433/1605/2123/files/tifivuwazotolomakanosagaj.pdf
    • https://cdn.shopify.com/s/files/1/0437/4321/5767/files/situational_approach_to_leadership.pdf
    • https://cdn.shopify.com/s/files/1/0438/5452/8677/files/fipovoxepisaz.pdf
    • https://cdn.shopify.com/s/files/1/0434/9899/5864/files/pemaso.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005378.bin
93c7edcbc149e6b4ca7cf436e91e0d7b117c7811d6e67fa694aaabcbc66cfb5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5378 5436 bytes
font_01_sfnt_off000065d4.bin
089024d64dc360c429cdcb950b54465c248182f9436c70a173f642685cb3b950		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65D4 9612 bytes
font_02_sfnt_off000083c3.bin
04c7380fc26261c2744832b89b88c15a19c10bdba858d191cdaf3dd6803b389c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83C3 13624 bytes
font_03_sfnt_off0000ae7f.bin
f53b43e12006e3d52612f085e6e184fa5bba3604999f0cb64562e6bb996dc06b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE7F 16384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.