Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0c87649df18c13c…

MALICIOUS

PDF

50.7 KB Created: 2020-10-27 02:20:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eaeca6911868f31fcfea4a0a436265fc SHA-1: 17c1032f7f0a57443cbdc8484c0123a990f8c348 SHA-256: e0c87649df18c13c1428231660b72b5a2b1af16c97eb5510d2679427ad78f3d7
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a link farm, with numerous embedded URLs, many of which are benign Shopify links, but the primary redirector is suspicious. The 'SE_CALLBACK_LURE' heuristic suggests a phishing or tech-support scam pretext, further supported by the presence of a suspicious URL in the document body. No scripts were extracted, but the malicious link is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/123?keyword=nietzsche+pdf+beyond+good+and+evil
    • https://cdn-cms.f-static.net/uploads/4392666/normal_5f8e1eb1a7d11.pdf
    • https://cdn-cms.f-static.net/uploads/4373509/normal_5f95deb48c012.pdf
    • https://cdn-cms.f-static.net/uploads/4370286/normal_5f8ce0972bb26.pdf
    • https://cdn-cms.f-static.net/uploads/4417648/normal_5f96d4f5bdd11.pdf
    • https://cdn-cms.f-static.net/uploads/4369507/normal_5f8a0c2135755.pdf
    • https://cdn-cms.f-static.net/uploads/4381090/normal_5f94547362162.pdf
    • https://cdn-cms.f-static.net/uploads/4380882/normal_5f8b49fee7372.pdf
    • https://cdn-cms.f-static.net/uploads/4401525/normal_5f917f3a456ad.pdf
    • https://cdn-cms.f-static.net/uploads/4368238/normal_5f8c401aa9745.pdf
    • https://cdn-cms.f-static.net/uploads/4369336/normal_5f88a993f24db.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0494/4969/7439/files/25206842590.pdf
    • https://cdn.shopify.com/s/files/1/0266/7597/0236/files/37514136350.pdf
    • https://cdn.shopify.com/s/files/1/0475/3073/7830/files/latisamutizutikewexep.pdf
    • https://cdn.shopify.com/s/files/1/0483/0658/5755/files/58740315912.pdf
    • https://cdn.shopify.com/s/files/1/0501/0345/1813/files/plyometric_training_for_sprinters.pdf
    • https://uploads.strikinglycdn.com/files/fe1d1e19-e41d-4d05-b90d-525d8c881ce2/resujevagos.pdf
    • https://uploads.strikinglycdn.com/files/7f12367f-60d8-4e0d-a230-22364e11fdc6/jonunalibid.pdf
    • https://uploads.strikinglycdn.com/files/7ec9abe1-9599-4244-8698-d010d74e4a86/vokunikesunopinimo.pdf
    • https://uploads.strikinglycdn.com/files/17132135-5f76-49fb-aa7d-5ce0abe16379/23433616243.pdf
    • https://uploads.strikinglycdn.com/files/ea91b9f8-50f3-4b48-8634-dd17995273b0/demabilix.pdf
    • https://uploads.strikinglycdn.com/files/823f9637-8608-402f-8ca7-3523d9e7303c/48273560585.pdf
    • https://uploads.strikinglycdn.com/files/9b4dd3b9-f4b4-4ed2-a188-8b983f65ab55/gears_reloaded_apk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008529.bin
d57ddd884c8e3a9fdd9ee6a1bbf65edc3ecbc79564b6164454955d0d50910e19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8529 5640 bytes
font_01_sfnt_off00009872.bin
973307d2498b8e462fd8b23c6d6a8afa103c33018317e7ea90d23e5f0f9179b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9872 10788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.