Malicious PDF — malware analysis report

Static analysis result for SHA-256 e822db243dce246c…

MALICIOUS

PDF

61.2 KB Created: 2020-08-21 02:26:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1656d6d7b146038b1807a10a48353353 SHA-1: 3e34c75afb766f075d14493315b0d45622a2f649 SHA-256: e822db243dce246c6cac323265bc3283b8c2ace2f66bf5a3a811f726cb8ecc4b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm with numerous embedded URLs, many of which point to Shopify domains hosting PDF files. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used to obscure the final destination. The document body, though heavily obfuscated, contains the URL https://ttraff.cc/pify?keyword=avira+free+antivirus++for+windows+10, suggesting a lure related to free antivirus software. The presence of a malicious redirector and a link farm indicates an attempt to distribute malicious content or phish for information.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=avira+free+antivirus++for+windows+10
    • http://gazurake.mrlondonsclass.com/uploads/1/3/1/8/131856725/xiwoxivogifazaxeta.pdf
    • http://kixusev.gailellensmith.com/uploads/1/3/1/1/131164250/47e53b2cd0371.pdf
    • http://files.bluemantaswimming.com/uploads/1/3/0/7/130739452/kegalemikivipuwisa.pdf
    • http://laxejorom.albertomagana.com/uploads/1/3/1/6/131636725/2704197.pdf
    • http://files.narrative-science.org/uploads/1/3/1/6/131606874/kemudivova.pdf
    • https://cdn.shopify.com/s/files/1/0439/3366/3400/files/total_conquest_offline_unlimited_crowns_mod_apk.pdf
    • https://cdn.shopify.com/s/files/1/0429/7539/5993/files/jixetevaralapi.pdf
    • https://cdn.shopify.com/s/files/1/0432/5706/9721/files/vakoxinujawivow.pdf
    • https://cdn.shopify.com/s/files/1/0433/0065/1158/files/taco_cabana_nutrition.pdf
    • https://cdn.shopify.com/s/files/1/0459/9942/3647/files/movufuxawibap.pdf
    • https://cdn.shopify.com/s/files/1/0449/3400/4891/files/bansal_classes_chemistry_notes.pdf
    • https://cdn.shopify.com/s/files/1/0433/5602/9093/files/8564365566.pdf
    • https://cdn.shopify.com/s/files/1/0433/0471/4404/files/48734538285.pdf
    • https://cdn.shopify.com/s/files/1/0435/7806/5059/files/55081331800.pdf
    • https://cdn.shopify.com/s/files/1/0435/1839/4527/files/canterbury_tales_miller_s_tale.pdf
    • https://cdn.shopify.com/s/files/1/0432/7034/0772/files/70463879922.pdf
    • https://cdn.shopify.com/s/files/1/0431/5519/4011/files/xogadozikasazoji.pdf
    • https://cdn.shopify.com/s/files/1/0432/6693/2902/files/2020_accf_aha_guideline_for_coronary_artery_bypass_graft_surgery.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a2eb.bin
11ca008d1b98f1ac1aad97e38477c4da665f5edd793fd3a58bbadf45ef615986		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2EB 5088 bytes
font_01_sfnt_off0000b458.bin
600ae8bfca44ee2bf53e640df46ad7422151899b2c27c3e9bed2398a6ef90d41		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB458 10772 bytes
font_02_sfnt_off0000d8e7.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8E7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.