Malicious PDF — malware analysis report

Static analysis result for SHA-256 edb8c02457c29fde…

MALICIOUS

PDF

50.6 KB Created: 2020-08-16 01:01:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e673dd9451944c22f8f60cb983ca0e96 SHA-1: 0c4b1212822f9f99bb05b3125362b54c8fabd93a SHA-256: edb8c02457c29fdee21fde384528524268f3f3f98fb62332b54ae499bb9f4c16
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link pointing to 'ttraff.com', which is flagged as malicious. Additionally, it hosts a large number of external PDF links, many of which are SEO-optimized, suggesting an attempt to drive traffic to potentially malicious sites. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure for a Gujarati magazine PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=safari%20gujarati%20magazine%20pdf
    • http://files.culinaryartbymarisa.com/uploads/1/3/1/1/131164124/5627287.pdf
    • http://pomogat.blackdogdigital.com/uploads/1/3/1/4/131437792/matifibuvodi-gipitoselu-pudujidefavog-kaxegane.pdf
    • http://xitojaro.loblowsports.com/uploads/1/3/0/7/130739732/lulesamidaxik.pdf
    • http://files.freshstockjapan.com/uploads/1/3/2/7/132740778/fopabaluzexewet.pdf
    • https://cdn.shopify.com/s/files/1/0435/3861/2378/files/bhagavad_gita_telugu_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/8713/4882/files/1995078746.pdf
    • https://cdn.shopify.com/s/files/1/0437/1916/4058/files/lolefurobesoxibuwegid.pdf
    • https://cdn.shopify.com/s/files/1/0432/4176/7072/files/gupodoxulitakekuwukesojop.pdf
    • https://cdn.shopify.com/s/files/1/0428/6437/8022/files/watch_movies_2k.pdf
    • https://cdn.shopify.com/s/files/1/0431/0951/5413/files/70364145318.pdf
    • https://cdn.shopify.com/s/files/1/0430/7507/6258/files/calculus_bangla_book_download.pdf
    • https://cdn.shopify.com/s/files/1/0438/2962/4992/files/zikidozajagumax.pdf
    • https://cdn.shopify.com/s/files/1/0432/3937/5012/files/netafurevadatiril.pdf
    • https://cdn.shopify.com/s/files/1/0435/5588/1111/files/basel_2_framework.pdf
    • https://cdn.shopify.com/s/files/1/0433/4741/1096/files/36218045485.pdf
    • https://cdn.shopify.com/s/files/1/0431/0122/5114/files/ludufazotixidipuvabatim.pdf
    • https://cdn.shopify.com/s/files/1/0432/6011/7160/files/uninstall_java_on_mac.pdf
    • https://cdn.shopify.com/s/files/1/0437/9105/7058/files/72605141354.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059f4.bin
6791f9f34851c25df2508edd82034464013e539566b3db6cfcc5cbbd35435414		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59F4 5380 bytes
font_01_sfnt_off00006c32.bin
72e3c820b44ead4f3a62c96bf8a0c595023da281479462628ad10cf1c0d5024a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C32 7116 bytes
font_02_sfnt_off0000834f.bin
0e493413b10e166862f3aa45a1c54b87ad48af03edbf8b0b10a9729ec049f2d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x834F 10048 bytes
font_03_sfnt_off0000a5ea.bin
0d7a92828fb34c46272def7401d297891c72c028a4bdfa4d2814ce18bde6b281		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5EA 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.