Malicious PDF — malware analysis report

Static analysis result for SHA-256 2dcbf0c0d05cad80…

MALICIOUS

PDF

36.5 KB Created: 2020-08-30 10:51:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0f1be887d21a33080abe4ca36f87116 SHA-1: 3a045331a31080fd6b674a65600b56e2b35e1f9e SHA-256: 2dcbf0c0d05cad80aa0d648f8d6b53379fa479ec64c94cceb972d43328700f76
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to redirect users to malicious infrastructure, specifically identified by the critical heuristic PDF_MALICIOUS_REDIRECTOR_LINK. The primary malicious URL is https://ttraff.com/wix?keyword=beavis+and+butthead+do+america+onlin. The document body also contains this URL and numerous other links to benign-looking PDFs hosted on CDNs, likely as a SEO poisoning tactic. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=beavis+and+butthead+do+america+onlin
    • https://static.usrfiles.com/ugd/b8c837_b7fb09465e844f60a5f78eeb576c7fdd.pdf
    • https://static.usrfiles.com/ugd/b8c837_31b9de4785a74f6d8c7e70ad1ce593df.pdf
    • https://static.usrfiles.com/ugd/b8c837_0502482389fa47d68f232241c21bd58a.pdf
    • https://static.usrfiles.com/ugd/b8c837_66738736f2ad4c5b98e62a0b1133a496.pdf
    • https://cdn.shopify.com/s/files/1/0428/6346/0508/files/kajovabinatawovidafogeke.pdf
    • https://cdn.shopify.com/s/files/1/0429/2267/2284/files/instantiate_template_class_cpp.pdf
    • https://cdn.shopify.com/s/files/1/0427/5824/2470/files/xowimenudawebederipuvitig.pdf
    • https://cdn.shopify.com/s/files/1/0435/3222/2615/files/11303923316.pdf
    • https://cdn.shopify.com/s/files/1/0429/9898/8954/files/vavojijud.pdf
    • https://cdn.shopify.com/s/files/1/0432/5664/3739/files/managing_workplace_diversity.pdf
    • https://cdn.shopify.com/s/files/1/0429/1143/2857/files/posotobozo.pdf
    • https://cdn.shopify.com/s/files/1/0429/8863/4263/files/genofibilimara.pdf
    • https://cdn.shopify.com/s/files/1/0428/0611/6511/files/78044326120.pdf
    • https://cdn.shopify.com/s/files/1/0434/4076/7132/files/cardi_b_bodak_yellow_lyrics_video.pdf
    • https://cdn.shopify.com/s/files/1/0430/0357/6481/files/total_conquest_mod_apk_android_1_plus.pdf
    • https://cdn.shopify.com/s/files/1/0428/9282/0647/files/juventus_vs_atletico_madrid_match_report.pdf
    • https://cdn.shopify.com/s/files/1/0439/2920/6939/files/13050385430.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c9f.bin
cef6a9d1f17d0d5d420197e2cba3393b0fdc9766d324186d5a4bc5644b55eca4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C9F 5428 bytes
font_01_sfnt_off00005ee2.bin
438a96d31a2100efbde455d90ee4c2cdcb88e91a2cf8766a680d22c80af58029		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE2 10604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.