Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8fd04ec03c0fd00…

MALICIOUS

PDF

51.2 KB Created: 2020-08-30 05:11:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2cf6e098cd4381fc3581485504fd9402 SHA-1: d5540b65df4ba7fe3fea91e7cf1a371ac7804258 SHA-256: f8fd04ec03c0fd00061bc49b9538eb4a8bb49074bb6336b49ab73e6c95106e2c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, some of which are hosted on 'static.usrfiles.com' and 'cdn.shopify.com'. The ML classifier also strongly flagged this PDF as malicious. The primary attack vector appears to be directing users to a malicious site via the embedded link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=%25D8%25AC%25D9%2586%25D8%25B3+%25D9%2584%25D8%25A7%25D8%25B9%25D8%25A8+%25D8%25AD%25D9%2582%25D9%258A%25D9%2582%25D9%258A+%25D9%2585%25D8%25AC%25D8%25A7%25D9%2586%25D9%258A
    • https://static.usrfiles.com/ugd/b8c837_ec1581671e9f4cbabdd2bf6ea3278440.pdf
    • https://static.usrfiles.com/ugd/b8c837_a96ba4d53c5d49dcb42b83e3e8453bac.pdf
    • https://static.usrfiles.com/ugd/8d57bd_3b46b7bb1dd44d0fa7c9c3649d8da82f.pdf
    • https://static.usrfiles.com/ugd/271e65_215fd256403b4aa5b76fafc6587357f6.pdf
    • https://static.usrfiles.com/ugd/e4a001_c8bb7b6248b643bbbc9600746f183abb.pdf
    • https://cdn.shopify.com/s/files/1/0432/0228/1633/files/chiari_malformation_mri_films_vs_normal.pdf
    • https://cdn.shopify.com/s/files/1/0433/9341/7366/files/chappale_kannada_movie_songs_lyrics_free.pdf
    • https://cdn.shopify.com/s/files/1/0429/3686/0839/files/7615797930.pdf
    • https://cdn.shopify.com/s/files/1/0431/5119/6315/files/timatusozigunovitem.pdf
    • https://cdn.shopify.com/s/files/1/0432/3622/9278/files/ikea_kallax_shelf_instructions.pdf
    • https://cdn.shopify.com/s/files/1/0432/4684/6107/files/rufotoxokugar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000090f9.bin
4c781b0ad77310b62a717e4989fa0fca71bab32e0eaa744ba4c7ad916c23802e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x90F9 25288 bytes
font_00_sfnt_off00004d3a.bin
ca42d5ed38f04d35f6c6ef927e9c0e2abbbfec64d896d823d531a8752c72a089		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D3A 4068 bytes
font_01_sfnt_off00005b18.bin
06acb4621db37dc7699210fdbed4c467e47687abf39013d02d7758aa27ed9300		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B18 17864 bytes
font_02_sfnt_off00007613.bin
61524ad7c1287aeb014f5a4f40d8755078333f95159138dcdcc0f5ddb391aa3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7613 7876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.