Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ee7aa0ccbe9356e…

MALICIOUS

PDF

62.8 KB Created: 2020-09-05 21:37:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 22d507c7c49b65e96795df413de82979 SHA-1: 559a8e63b321a0e2f5277d7a7a97f687492a717c SHA-256: 1ee7aa0ccbe9356e5d3b4de6671e59aaabfcb5e8d3a50d1dd5fcdd029cdcae64
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.link/wix?keyword=learn+german+pdf+with+audio', is designed to redirect users to malicious content. The PDF also features a link farm, with many links pointing to Shopify domains, suggesting an attempt to obscure the true destination or distribute the malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=learn+german+pdf+with+audio
    • https://cdn.shopify.com/s/files/1/0431/4945/9605/files/kunenimuriredakibigejav.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/buwukepenarunowara.pdf
    • https://cdn.shopify.com/s/files/1/0430/0675/4970/files/office_2016_crack_full.pdf
    • https://cdn.shopify.com/s/files/1/0431/7888/5280/files/saxugepojopa.pdf
    • https://cdn.shopify.com/s/files/1/0438/9342/4283/files/tilajeziz.pdf
    • https://static.usrfiles.com/ugd/b91566_9585411c40134fde80bedc198231984c.pdf
    • https://static.usrfiles.com/ugd/aa14a9_4fea2b537554464b9f4fa6dbef5f01b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_b7bd71d33bf44ce9a13624c588a20dac.pdf
    • https://cdn.shopify.com/s/files/1/0436/4691/0624/files/32375405454.pdf
    • https://cdn.shopify.com/s/files/1/0462/6671/2218/files/corrections_officer_exam_ny_study_guide.pdf
    • https://cdn.shopify.com/s/files/1/0438/1189/7504/files/endocrine_society_guidelines_testosterone_2018.pdf
    • https://cdn.shopify.com/s/files/1/0437/5491/3943/files/wofulosu.pdf
    • https://cdn.shopify.com/s/files/1/0427/7560/9510/files/siwekuwerexoruma.pdf
    • https://cdn.shopify.com/s/files/1/0430/2874/2298/files/sadosimoposuperafugogevi.pdf
    • https://cdn.shopify.com/s/files/1/0428/5179/5107/files/barabanifarodi.pdf
    • https://cdn.shopify.com/s/files/1/0461/8895/3751/files/88309910012.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0431/4945/9605/files/kunenimuriredakibigeja

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a04f.bin
79aa70d67bb83c13e34605c2fa86dbe66a8a4e108c0c473901182002c94e3f54		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA04F 5276 bytes
font_01_sfnt_off0000b232.bin
e9a8236534ac101b6d5b3d188a633f56c6f2cae63c7fd173d86a55e0c07e69d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB232 10888 bytes
font_02_sfnt_off0000d722.bin
75f54dcbdb6bbdf492082a36f5235caf11af5dfa309d7a97dc204457adfcf2be		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD722 16860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.