Malicious PDF — malware analysis report

Static analysis result for SHA-256 0651a7480c50c29b…

MALICIOUS

PDF

46.7 KB Created: 2020-08-08 02:30:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9f7085850c86316d61dd3facdb3d2bdd SHA-1: 31425c0b19eca09dd9384e03722cc5473ab7eda5 SHA-256: 0651a7480c50c29b3f8a0dafbcfb93f9e6691e3342559756d8c5a8f93cd4a30f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm for SEO manipulation or to host malicious content. One critical heuristic identified a link to known malicious redirector infrastructure at `https://ttraff.com/pify?keyword=amazing+grace+organ+sheet+music+pdf`. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the same malicious URL and other Shopify URLs, likely intended to appear as legitimate content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=amazing+grace+organ+sheet+music+pdf
    • http://files.updatescentral.com/uploads/1/3/1/3/131384018/fotimiva_nidanu_gibuvidedavade.pdf
    • http://files.allforonefoundation.org/uploads/1/3/2/6/132681150/8177222.pdf
    • http://files.strausorganizingsolutions.com/uploads/1/3/1/6/131607093/mugodup-norozogimuvig-jorepe-bufew.pdf
    • http://files.lynetteingramcassel.com/uploads/1/3/1/3/131379844/9355553.pdf
    • http://files.dare-tobelieve.com/uploads/1/3/1/4/131408017/xamavirawetus.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0434/3237/8517/files/vagubukutimis.pdf
    • https://cdn.shopify.com/s/files/1/0431/2947/1130/files/69683095418.pdf
    • https://cdn.shopify.com/s/files/1/0433/3853/0965/files/bruce_almighty_watch_online.pdf
    • https://cdn.shopify.com/s/files/1/0431/6309/1112/files/pazoxudatenipur.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sakemiribukewud.pdf
    • https://cdn.shopify.com/s/files/1/0431/4251/2802/files/advertisement_examples_for_students.pdf
    • https://cdn.shopify.com/s/files/1/0438/8909/8907/files/surewupitijuvidor.pdf
    • https://cdn.shopify.com/s/files/1/0431/6259/9585/files/formacion_de_placa_ateromatosa.pdf
    • https://cdn.shopify.com/s/files/1/0435/2265/4362/files/10135979009.pdf
    • https://cdn.shopify.com/s/files/1/0438/0976/7584/files/23045053645.pdf
    • https://cdn.shopify.com/s/files/1/0430/1648/7065/files/fisamujazefasox.pdf
    • https://cdn.shopify.com/s/files/1/0432/9055/8622/files/65638419436.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f01.bin
2a98df7a8ae933d3bc89cfa618d22548ec622a370dd72a5cf50c7aff03700a62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F01 5576 bytes
font_01_sfnt_off000081d7.bin
18da10e5e1d2825583ff5a24bfdad7e2750c168826c8e6a1bba8d02c4b172078		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81D7 14072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.