Malicious PDF — malware analysis report

Static analysis result for SHA-256 152dbebc3ed02054…

MALICIOUS

PDF

44.5 KB Created: 2020-08-27 13:26:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2602a4fe7ce5823768bc89b5aa9113e2 SHA-1: e324066a18082685ce81e2f0ab5859e3a827d7d5 SHA-256: 152dbebc3ed02054dec005a2abd37a74c2c05e2e3c34e133c420d46b5d89ebcb
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDF files, a technique often used for SEO poisoning or to distribute malicious content. One critical heuristic identified a link to known malicious redirector infrastructure. The document body also contains the URL 'https://ttraff.link/pify?keyword=1046+angel+number', which is likely the primary lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=1046+angel+number
    • http://pivujib.elisaeliot.com/uploads/1/3/1/3/131398563/649889.pdf
    • http://files.bikingtheforks.com/uploads/1/3/1/4/131407742/93ed40e1.pdf
    • http://files.kajancbd.com/uploads/1/3/0/7/130776200/xobojogokod.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0435/8671/5805/files/92178524593.pdf
    • https://cdn.shopify.com/s/files/1/0436/3000/2336/files/wuwamopo.pdf
    • https://cdn.shopify.com/s/files/1/0440/4156/8421/files/teviwovebuxuwutozaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/8900/2645/files/xidadigugovulivijej.pdf
    • https://cdn.shopify.com/s/files/1/0429/9938/2170/files/abnormal_psychology_16th_edition_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/0791/7729/files/zojabapenokepat.pdf
    • https://cdn.shopify.com/s/files/1/0432/5294/0968/files/fuvuxixanuw.pdf
    • https://cdn.shopify.com/s/files/1/0464/8026/1288/files/38956692114.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007168.bin
0d035aed0e13c03bfde4f39cc794f2fec58b0347bf0b0d72db2e0caf05e1650a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7168 5308 bytes
font_01_sfnt_off0000835f.bin
b2f158912cc761c045c6f7c0829577571dac94a40446d79b8fce10caee878fb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x835F 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.