Malicious PDF — malware analysis report

Static analysis result for SHA-256 01bf7a266865e2fe…

MALICIOUS

PDF

41.4 KB Created: 2020-08-29 18:44:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ce83a0bd817ade42cf401713c2f404b6 SHA-1: 70be257bf658068e1c4fa25cfdcd96797f2161df SHA-256: 01bf7a266865e2fe919ea6a6eb379facde31b04d6beabe56113473e2c6ece580
154 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=t25+schedule+alpha+beta+gamma'. The document body, though heavily obfuscated, contains text fragments that appear to be a schedule and references to the redirector URL. The presence of a large number of embedded links, many pointing to benign Shopify PDFs, suggests a link farm or SEO poisoning tactic to mask the malicious redirector. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=t25+schedule+alpha+beta+gamma
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0430/5453/0709/files/woripumuvun.pdf
    • https://cdn.shopify.com/s/files/1/0428/1267/0111/files/bridge_to_terabithia_whole_book_quiz.pdf
    • https://cdn.shopify.com/s/files/1/0439/6960/9886/files/90635345718.pdf
    • https://cdn.shopify.com/s/files/1/0434/7009/4501/files/etymology_bible.pdf
    • https://static.usrfiles.com/ugd/89064d_a43f615631de4773ab76d7e3fcce4fa0.pdf
    • https://static.usrfiles.com/ugd/b8c837_f51bc2012eb84854a7d5e1f9fb98dab3.pdf
    • https://static.usrfiles.com/ugd/93c935_03638ce4faaa48f1ab54dc12fa9f2953.pdf
    • https://static.usrfiles.com/ugd/accd1f_b9b6555d50c0408f9b3b53b6d8e0d602.pdf
    • https://cdn.shopify.com/s/files/1/0427/7701/8524/files/36341674851.pdf
    • https://cdn.shopify.com/s/files/1/0434/5259/6374/files/64631204538.pdf
    • https://cdn.shopify.com/s/files/1/0432/9730/8840/files/xanuxorinefiba.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vepotarinaf.pdf
    • https://cdn.shopify.com/s/files/1/0439/2209/6283/files/waiting_for_godot_analysis_themes.pdf
    • https://cdn.shopify.com/s/files/1/0434/8523/3302/files/loregutogejidefugogeperu.pdf
    • https://cdn.shopify.com/s/files/1/0433/8493/0462/files/95086901575.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061ed.bin
5deb9ab2fb5d6c8f791ed60cf99a06d3101e90414e760a63b0f86fa31dcd1e4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61ED 5736 bytes
font_01_sfnt_off0000753f.bin
48644a88f00e31c62d308cae069c9008c6ac2809ed81a900e991ca5a8b20dadd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x753F 10552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.