Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe9934c12c27d9d4…

MALICIOUS

PDF

41.9 KB Created: 2020-08-25 02:13:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fd1be41cdb9b2397709f8a5a58a2fbe0 SHA-1: 7bf6d47faf0adc00a3ea2c67bdc56a12ed22357d SHA-256: fe9934c12c27d9d4eaf8897b0d076199a7c1e2869d549eeddb39f42c2e54c80b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is designed to lead users to malicious sites. The document body, though heavily obfuscated, contains the same URL and a keyword related to embroidery patterns, suggesting a lure. The PDF also hosts a large number of links to other PDFs, many hosted on Shopify, which is characteristic of SEO poisoning or link farm techniques to improve search engine ranking for malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=hand+embroidery+patterns+for+bed+sheets
    • http://files.modernwellnesscounseling.com/uploads/1/3/1/0/131070851/d6e26589007e5e5.pdf
    • https://cdn.shopify.com/s/files/1/0431/4313/5393/files/agenda_2019_google_spreadsheet.pdf
    • https://cdn.shopify.com/s/files/1/0437/9744/6813/files/word_genius_answers_story_time.pdf
    • https://cdn.shopify.com/s/files/1/0434/0419/8044/files/meeting_scheduler_template_excel.pdf
    • https://cdn.shopify.com/s/files/1/0429/4678/9542/files/fibawe.pdf
    • https://cdn.shopify.com/s/files/1/0438/2900/2390/files/digutudusutefik.pdf
    • https://cdn.shopify.com/s/files/1/0432/2656/2722/files/rejad.pdf
    • https://cdn.shopify.com/s/files/1/0434/9696/4261/files/34287706355.pdf
    • https://cdn.shopify.com/s/files/1/0437/3997/1738/files/albert_bandura_self_efficacy.pdf
    • https://cdn.shopify.com/s/files/1/0435/2029/5064/files/ratuxuwalise.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0234/files/69359902022.pdf
    • https://cdn.shopify.com/s/files/1/0428/8996/9820/files/materi_akuntansi_keuangan.pdf
    • https://cdn.shopify.com/s/files/1/0438/8644/4699/files/gugogepubato.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/49470024852.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005905.bin
afb528cecbc5de4b973a304fc6a33369ebe85a47d2e2a0400ed0135459afa05b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5905 5240 bytes
font_01_sfnt_off00006a98.bin
62273705133dca84724217ac9ae5fd11e4aabe7a93a3e4bda852cc02d5fba4a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A98 9904 bytes
font_02_sfnt_off00008c6c.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C6C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.