Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5a473365dc57cc4…

MALICIOUS

PDF

58.7 KB Created: 2020-08-22 06:52:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25d71882b314e3be1f3277ed7a322a4e SHA-1: d7d98f0e1bc7e1c583af3d44f2dda8e2566e6b39 SHA-256: e5a473365dc57cc4768224d30cc4655adb53ef5018d8d6ed4111818f40a9b0f2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple critical heuristics indicating malicious redirector links and a link farm. The embedded URLs, particularly the one pointing to 'ttraff.com', are associated with malicious redirector infrastructure. The document body, though heavily obfuscated, contains references to these URLs and appears to be generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=contenttype+application%252F+x-+www-+form-+urlencoded+ajax
    • http://vufud.kmid.com.au/uploads/1/3/1/6/131606156/2150784.pdf
    • https://cdn.shopify.com/s/files/1/0438/2598/7734/files/fugojevi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lenibokufilitixesokan.pdf
    • https://cdn.shopify.com/s/files/1/0434/6377/0272/files/agriculture_drive.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rasamonuje.pdf
    • https://cdn.shopify.com/s/files/1/0436/4750/0448/files/tubababolivo.pdf
    • https://cdn.shopify.com/s/files/1/0432/2610/3971/files/48707724194.pdf
    • https://cdn.shopify.com/s/files/1/0433/6284/4837/files/draenei_name_generator.pdf
    • https://cdn.shopify.com/s/files/1/0433/3414/0072/files/82725156129.pdf
    • https://cdn.shopify.com/s/files/1/0433/1274/2550/files/83010869499.pdf
    • https://cdn.shopify.com/s/files/1/0430/5505/5002/files/84798424710.pdf
    • https://cdn.shopify.com/s/files/1/0434/1373/3533/files/66682814641.pdf
    • https://cdn.shopify.com/s/files/1/0428/3957/2643/files/wenafaxofe.pdf
    • https://cdn.shopify.com/s/files/1/0433/4387/2153/files/17249153299.pdf
    • https://cdn.shopify.com/s/files/1/0439/3756/2779/files/cambridge_objective_first_certificate_teacher_s_book.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008223.bin
f6d19c69a713fcfde9bcbd0803d543cf77559a0d2ec2118296f38450282dadce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8223 5432 bytes
font_01_sfnt_off000094ac.bin
0bffa03402480dacacf2561e0d274fe52505f17b15825b9619e184bb6a0f3cbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94AC 2640 bytes
font_02_sfnt_off0000a03f.bin
f24baf48cd6fc93260ad23b2408d7452e28f39d11f21992da7400ccdbe1e35cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA03F 11348 bytes
font_03_sfnt_off0000c708.bin
0216150ac0e5ade23b072752459620ec704bdac01526bfbadd96d51f96873ef3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC708 16168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.