Malicious PDF — malware analysis report

Static analysis result for SHA-256 1edb167f380e21d5…

MALICIOUS

PDF

53.1 KB Created: 2020-07-30 06:22:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa1f3106dba3dc396fbd815565a28c49 SHA-1: 975724f7b68f83c542cd572f703a965c94248b3c SHA-256: 1edb167f380e21d51e15eb79e4e8b179247bcbb4cbf5eede368166758a390330
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, https://ttraff.com/pify?keyword=kwame+anthony+appiah+the+lies+that+bind+pdf, is flagged as a malicious redirector. This suggests the document's primary purpose is to lure users into clicking malicious links, potentially leading to phishing sites or malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=kwame+anthony+appiah+the+lies+that+bind+pdf
    • http://files.utcgear.com/uploads/1/3/1/4/131438869/salowujorul.pdf
    • http://files.mfldiobr.org/uploads/1/3/0/9/130969057/dimesowen.pdf
    • http://files.midwest-paint-group.us/uploads/1/3/0/7/130739693/madotolekew-juwijobira-tupozam-livasikox.pdf
    • http://files.midwest-paint-group.us/uploads/1/3/0/7/130739693/madotolekew-juwijob
    • https://cdn.shopify.com/s/files/1/0431/3199/4280/files/kegikipukigepipipamawup.pdf
    • https://cdn.shopify.com/s/files/1/0438/8945/9368/files/79556588302.pdf
    • https://cdn.shopify.com/s/files/1/0431/6938/2568/files/bivevipukovunenamojure.pdf
    • https://cdn.shopify.com/s/files/1/0434/7474/7545/files/jizipudefodumowi.pdf
    • https://cdn.shopify.com/s/files/1/0429/6255/0940/files/bafesoroxa.pdf
    • https://cdn.shopify.com/s/files/1/0433/3505/7559/files/99648037271.pdf
    • https://cdn.shopify.com/s/files/1/0433/1238/2117/files/wupopiko.pdf
    • https://cdn.shopify.com/s/files/1/0433/3384/5150/files/77609982257.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78476378890.pdf
    • https://cdn.shopify.com/s/files/1/0429/1713/4499/files/33539509736.pdf
    • https://cdn.shopify.com/s/files/1/0431/7167/6314/files/63534672907.pdf
    • https://cdn.shopify.com/s/files/1/0430/5905/2706/files/xinatobemejerit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008e86.bin
f55a9b7c10d3e66d9ccb3ad9d2ffcb37ce0b5cc51e26c711d0f0861976a30092		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E86 5276 bytes
font_01_sfnt_off0000a05e.bin
3f24b95ca309ef9b5a8938d2a056c5fe593189e0d626e2dc8adbb4b5c4fdc00a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA05E 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.