Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c4a2d8240b53f99…

MALICIOUS

PDF

43.8 KB Created: 2020-08-08 08:27:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b67cc71517dbb1aaba002399b97da0c7 SHA-1: 5ba173e2deab1fbda556b90244608cc3cb8e631f SHA-256: 1c4a2d8240b53f99c8571af2abd1aa05a8011ec5201400192ab9caef8edcd7fc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a FedEx air waybill, aiming to trick the user into clicking it. The document body, though heavily obfuscated, contains the URL that triggers the redirect. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm used for SEO poisoning or to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=fedex+freight+air+waybill+pdf
    • http://files.inknbeans.com/uploads/1/3/0/7/130739769/garozojerip-xijapa-fivebe-jedefune.pdf
    • http://files.moretondivingandmarinecontracting.com/uploads/1/3/0/9/130969917/2379655.pdf
    • http://files.bergencountynotarydocument.com/uploads/1/3/0/7/130739379/bapomotuluwaped_zugagemomene.pdf
    • http://files.soulsisters.shop/uploads/1/3/2/6/132680905/7140742.pdf
    • https://cdn.shopify.com/s/files/1/0437/1965/5579/files/read_csv_in_r.pdf
    • https://cdn.shopify.com/s/files/1/0432/6565/4939/files/nigup.pdf
    • https://cdn.shopify.com/s/files/1/0434/1871/4277/files/novudisovisavivusejetod.pdf
    • https://cdn.shopify.com/s/files/1/0444/3511/2103/files/scalp_psoriasis.pdf
    • https://cdn.shopify.com/s/files/1/0428/8266/2553/files/wilulawosedepovifivato.pdf
    • https://cdn.shopify.com/s/files/1/0437/8643/6759/files/jedonidovebufemodituboves.pdf
    • https://cdn.shopify.com/s/files/1/0431/1298/8821/files/94162534076.pdf
    • https://cdn.shopify.com/s/files/1/0435/6187/7665/files/ssc_mathematics_books_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/6393/4109/files/tadewi.pdf
    • https://cdn.shopify.com/s/files/1/0432/6028/0982/files/pogawowaludubojug.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a09.bin
f8e58fb6fb2812137d96b5ba7038f5c1fe753620bd9eb0e0a1c000a802627453		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A09 5484 bytes
font_01_sfnt_off00007cc8.bin
49eeed5ecbbaad00b45d98c83cb5babc11a697916e44d203dccee7f9e4b779e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CC8 10668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.