Malicious PDF — malware analysis report

Static analysis result for SHA-256 e842472737b46be9…

MALICIOUS

PDF

53.3 KB Created: 2020-08-29 19:27:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eb8cb5c7e029091aa67d684a4728645f SHA-1: 16861617f9c021a0ead995519c5e3b760ae4c10b SHA-256: e842472737b46be9a31a10dc5c9c2bc1166f6267ca0cf20c5fe3f9e5a13a8519
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a 'Jonny quest cartoon torrent download'. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs pointing to various PDF files, likely for SEO manipulation or to obscure the malicious destination. The ML classifier strongly flagged this PDF as malicious. The primary attack vector appears to be social engineering through a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=jonny+quest+cartoon+torrent+download
    • https://cdn.shopify.com/s/files/1/0436/9930/6648/files/pofagopegod.pdf
    • https://cdn.shopify.com/s/files/1/0433/8266/9475/files/benexerapuritovon.pdf
    • https://cdn.shopify.com/s/files/1/0433/3315/7014/files/easy_learning_russian_language.pdf
    • https://cdn.shopify.com/s/files/1/0434/3670/3900/files/45363559392.pdf
    • https://static.usrfiles.com/ugd/b8c837_b78596d4ac514b358dd934118942b945.pdf
    • https://static.usrfiles.com/ugd/b8c837_d5c2cf93c6d043be8a06f2c6d6083b17.pdf
    • https://static.usrfiles.com/ugd/b8c837_d20b110532c74c6eb7e66faf85c44d35.pdf
    • https://static.usrfiles.com/ugd/b8c837_23e82f2fbb664178bcb84bfe74ac4eef.pdf
    • https://cdn.shopify.com/s/files/1/0430/2071/4137/files/pokemon_black_2_rom.pdf
    • https://cdn.shopify.com/s/files/1/0435/1731/3176/files/limusevoposirolatexoputi.pdf
    • https://cdn.shopify.com/s/files/1/0432/2279/4395/files/pabesa.pdf
    • https://cdn.shopify.com/s/files/1/0429/1647/9132/files/32981517870.pdf
    • https://cdn.shopify.com/s/files/1/0433/4449/4750/files/cabinet_minister_of_odisha.pdf
    • https://cdn.shopify.com/s/files/1/0441/1277/3272/files/34761126346.pdf
    • https://cdn.shopify.com/s/files/1/0434/3195/2536/files/together_again_buck_owens.pdf
    • https://cdn.shopify.com/s/files/1/0432/8649/5397/files/bowozodikimo.pdf
    • https://cdn.shopify.com/s/files/1/0428/0736/1703/files/88945070767.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007864.bin
1fd4dbe184478f6b8a597acf94adf815221a45c2467c2834d0fe1440006ce1ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7864 5240 bytes
font_01_sfnt_off00008a59.bin
572ceb0b25ffa1d2ca038ac4d1b6cc746b4ec033da9f2a39b5c228eb473f2ec4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A59 12352 bytes
font_02_sfnt_off0000b2da.bin
a4790eb4f6d4154bf27b37f3c17bff3199b0e620de062e7f5c148da0cd1c657b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB2DA 16112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.