Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef8a1374d15a096e…

MALICIOUS

PDF

47.7 KB Created: 2020-08-03 16:40:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e481f796b37ebbe7e823cb8cdcae3d38 SHA-1: e6b0274f8c33117b8fb1006695d1c66917d45baf SHA-256: ef8a1374d15a096e391cc0bb6ac31d21e6473a8a848b42b89e16c7832d2b8c83
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is likely used to obscure the final destination of the malicious payload. The document body, though heavily obfuscated, contains the same URL, suggesting it is the primary lure. The presence of numerous other PDF links, many hosted on Shopify, indicates a potential link farm or SEO poisoning tactic to distribute the malicious document. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=vulgarisation%20scientifique%20mode%20d%20emploi%20pdf
    • http://files.oakstreetnurseryschool.com/uploads/1/3/1/8/131871740/5096382.pdf
    • http://files.javiatorsim.com/uploads/1/3/1/6/131637658/b4449f8ed62e8.pdf
    • http://files.angelamedinagarcia.com/uploads/1/3/0/7/130739727/koxigezukiwuvetesob.pdf
    • http://files.996makers.com/uploads/1/3/0/7/130739385/18877837f29e.pdf
    • http://www.scienceetpartage.fr
    • https://cdn.shopify.com/s/files/1/0428/2885/7503/files/zixozesoliwama.pdf
    • https://cdn.shopify.com/s/files/1/0431/5404/7137/files/tangled_the_series_season_2_episode_16.pdf
    • https://cdn.shopify.com/s/files/1/0431/7646/0448/files/fovebotevatisudilaliwofi.pdf
    • https://cdn.shopify.com/s/files/1/0427/9474/6023/files/34070323791.pdf
    • https://cdn.shopify.com/s/files/1/0430/2703/8369/files/vopogibod.pdf
    • https://cdn.shopify.com/s/files/1/0428/9314/8313/files/zonulifuwobaxoza.pdf
    • https://cdn.shopify.com/s/files/1/0431/5312/9640/files/avenged_sevenfold_dear_god_lyric.pdf
    • https://cdn.shopify.com/s/files/1/0440/9422/6584/files/zomiv.pdf
    • https://cdn.shopify.com/s/files/1/0429/2398/3001/files/siranemukuluwezorudajumuk.pdf
    • https://cdn.shopify.com/s/files/1/0429/0910/6335/files/70229282626.pdf
    • https://cdn.shopify.com/s/files/1/0433/7870/4536/files/fufufavatinonadixitazowul.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062a5.bin
53d0b4b53d09d1785d3ac5f1e616bbbc83ca59e50554c18a6cefff9041b4b940		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62A5 5448 bytes
font_01_sfnt_off00007506.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7506 1800 bytes
font_02_sfnt_off00007d93.bin
ae980615105c33d380734abc73d08ec2536ed68757199698f892f1041ebe8c39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D93 11472 bytes
font_03_sfnt_off0000a180.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA180 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.