Malicious PDF — malware analysis report

Static analysis result for SHA-256 e61bf2907f780364…

MALICIOUS

PDF

40.3 KB Created: 2020-08-17 01:26:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef8db9ae91edbfef651eb1d29392971f SHA-1: 5a9e4e55a42eab0355bb24dbc30db0b4723f07a9 SHA-256: e61bf2907f780364947cc00f51da81a3c2685579c9d9ab613f72b130ba89025d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text related to 'Avery barcode labels software' and the malicious URL, suggesting a lure. The PDF also exhibits characteristics of a link farm, with numerous external links, many of which are to Shopify-hosted PDFs, likely for SEO manipulation to increase visibility. The primary malicious URL is 'https://ttraff.com/pify?keyword=avery+barcode+labels+software', which is designed to redirect the user to further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=avery+barcode+labels+software
    • http://jololod.callkarlykapur.com/uploads/1/3/0/8/130874655/3072146.pdf
    • http://files.gcraudio.com/uploads/1/3/0/7/130739780/bokusu.pdf
    • http://vexagug.quayeventsgroup.com/uploads/1/3/2/6/132695492/sezagijizopizazase.pdf
    • http://sesefo.2ndgencamaroparts.com/uploads/1/3/1/4/131483337/bovodex_xopelijelu_vexejuzopetiwi.pdf
    • https://cdn.shopify.com/s/files/1/0440/3222/9541/files/56031181152.pdf
    • https://cdn.shopify.com/s/files/1/0433/7431/3633/files/gourmet_race_piano_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0433/7922/8837/files/dekofunorutiwapemuwip.pdf
    • https://cdn.shopify.com/s/files/1/0436/1833/6925/files/auditorium_acoustics.pdf
    • https://cdn.shopify.com/s/files/1/0434/3499/9975/files/84839527223.pdf
    • https://cdn.shopify.com/s/files/1/0440/9724/1240/files/71521111573.pdf
    • https://cdn.shopify.com/s/files/1/0433/7827/8550/files/63868651884.pdf
    • https://cdn.shopify.com/s/files/1/0436/8911/5801/files/ccs_university_exam_form_reprint.pdf
    • https://cdn.shopify.com/s/files/1/0430/6544/2457/files/13777184379.pdf
    • https://cdn.shopify.com/s/files/1/0432/8305/4757/files/kuvapopetupegilifupu.pdf
    • https://cdn.shopify.com/s/files/1/0432/2931/5239/files/zigax.pdf
    • https://cdn.shopify.com/s/files/1/0427/8750/4294/files/the_last_remenant_walkthrough.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f9c.bin
dc52dd671d70e5b7b7b14933d90470c9f1d4e7a6210b3688c6959a4d5ba9b4cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F9C 5396 bytes
font_01_sfnt_off00007218.bin
2e7ba357fcc4a08244e89dc039046cf1f16f9602ea2946004e8f61fb4ed3a6e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7218 9968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.