Malicious PDF — malware analysis report

Static analysis result for SHA-256 121a507a18a2f982…

MALICIOUS

PDF

34.6 KB Created: 2020-08-21 01:00:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc6ae508d46234eeb7502cc5a1ddf40a SHA-1: 1cc3d09f4dbe7f8cfc05499dbc6eec0588727c3e SHA-256: 121a507a18a2f982fbc80213c92c3d6669130541d4df6c05a32407dcf535b96e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large link farm. The primary malicious URL identified is https://ttraff.com/pify?keyword=panasonic+av-+hs410+manual, which is likely used to distribute spam or phishing content. The document body contains garbled text but also repeats the malicious URL and several benign Shopify URLs, suggesting an attempt to disguise the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=panasonic+av-+hs410+manual
    • http://files.gambia-birdingexperience.com/uploads/1/3/1/4/131453843/554b416ab5.pdf
    • http://files.cauzacstonecladding.com/uploads/1/3/1/8/131856852/gekixexujinilixulug.pdf
    • http://files.aksimsurgical.co.uk/uploads/1/3/1/4/131482968/nuxotexejumo-bifakawaxaxozak.pdf
    • http://files.sportmednews.com/uploads/1/3/1/4/131407493/5417915.pdf
    • http://moxag.hisheartfororphans.com/uploads/1/3/0/8/130874655/0782316e51a8d97.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0443/4948/9308/files/blank_calendar_template_october_2020.pdf
    • https://cdn.shopify.com/s/files/1/0444/2878/7878/files/brooklyn_nine_nine_season_6_complete.pdf
    • https://cdn.shopify.com/s/files/1/0435/2314/5896/files/alimentacion_y_nutricion_en_edad_escolar.pdf
    • https://cdn.shopify.com/s/files/1/0431/9015/7473/files/8938982321.pdf
    • https://cdn.shopify.com/s/files/1/0430/0577/1929/files/lidixidozujizazizule.pdf
    • https://cdn.shopify.com/s/files/1/0429/1916/6119/files/rorugaxefojokudale.pdf
    • https://cdn.shopify.com/s/files/1/0434/9470/3270/files/perianal_fistula_mri.pdf
    • https://cdn.shopify.com/s/files/1/0437/1388/8424/files/zumazijaxupigaguvefogez.pdf
    • https://cdn.shopify.com/s/files/1/0434/1510/9794/files/zavilelimuru.pdf
    • https://cdn.shopify.com/s/files/1/0434/8257/9110/files/bosedivoradekafunasetoli.pdf
    • https://cdn.shopify.com/s/files/1/0432/2410/5121/files/79361165712.pdf
    • https://cdn.shopify.com/s/files/1/0431/6797/3538/files/86691042182.pdf
    • https://cdn.shopify.com/s/files/1/0437/3417/1813/files/design_thinking_process_guide.pdf
    • https://cdn.shopify.com/s/files/1/0435/2072/1055/files/anemia_ferropenica_microcitica_hipocromica.pdf
    • https://cdn.shopify.com/s/files/1/0438/3775/1456/files/avenir_bold_font_free_dafont.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004afe.bin
a6622dd3fcc38cea65371962955b3358994477c4c08093a3de14720db93714b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AFE 5316 bytes
font_01_sfnt_off00005cff.bin
22a07fab298dce55b06dfc7dd684e03e6a07c017ccb4aecb088eb06bc8091678		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CFF 9568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.