Malicious PDF — malware analysis report

Static analysis result for SHA-256 3371a383248fb2b7…

MALICIOUS

PDF

40.0 KB Created: 2020-09-16 18:25:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: edabc847bfda0d18d5d88bd4915b3e3a SHA-1: 4a8c4c5eced1fd13e4015401b7e2af747e23c4b2 SHA-256: 3371a383248fb2b78950add751db3f555ae3fa750c7e6c79f894a3675cbfb18f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links, one of which, 'https://ttraff.me/wix?keyword=norcold+1200lrim+manual', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting a lure to download or view a manual. The presence of numerous other PDF links, many hosted on Shopify, indicates a link farm strategy to improve search engine visibility for malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=norcold+1200lrim+manual
    • http://kazani.shopatlantaskinspot.com/uploads/1/3/0/7/130739163/3101664.pdf
    • http://files.bibliognostic.com/uploads/1/3/1/3/131379042/26e46c2.pdf
    • http://files.tabernaclesg.org/uploads/1/3/2/7/132712163/puvadazi_letigan_wutoribikix.pdf
    • http://files.bcox1.com/uploads/1/3/0/7/130776730/pogogo.pdf
    • https://cdn.shopify.com/s/files/1/0440/7810/4728/files/76648005781.pdf
    • https://cdn.shopify.com/s/files/1/0438/0921/0529/files/digital_principles_and_design_givone.pdf
    • https://cdn.shopify.com/s/files/1/0436/5107/2158/files/97723865976.pdf
    • https://cdn.shopify.com/s/files/1/0428/0818/0895/files/journal_of_psychology_and_christiani.pdf
    • https://f9781289-292b-4bd8-9a0a-7146229946a0.filesusr.com/ugd/73c254_d641775ac5e14c2885b16e28714f080f.pdf?index=true
    • https://0af14f5c-ca22-4bc2-8646-5af6df61b7f8.filesusr.com/ugd/2dbf5a_70b2149578384cf799e4ca1a5e58474a.pdf?index=true
    • https://7ff62115-7e15-44be-b212-fd51a3ac7919.filesusr.com/ugd/32777b_21800cd3cc21419dba857aeb0dfd1035.pdf?index=true
    • https://ebaf1a0a-61f2-488f-a1d5-c2301404be89.filesusr.com/ugd/dcc11b_0e021d34e4164175b5286ac341244497.pdf?index=true
    • https://35a6b2bf-0d45-4ae0-aa17-f2ea38ea0f8a.filesusr.com/ugd/e2b09b_8799e1e76a9f4f3d99bb756767c74a77.pdf?index=true
    • https://41e77ed4-122e-42ab-a2bc-55abf9a8a66a.filesusr.com/ugd/b148e5_2ec86e8cb76a4d929ca5d33b05cd5125.pdf?index=true
    • https://d5497d16-bdcd-4038-8e74-580e18458730.filesusr.com/ugd/6a7407_84e88b7347aa4147b0dc04df3298b688.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f58.bin
1c000a238eaa69a66ea883ecb5bad41335b792b6de8cbab9b3a3d9b89183e4e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F58 5200 bytes
font_01_sfnt_off000070f3.bin
34100b3efc0c3d2fc0a03fd99d4f5abc3cc82b0d34daa8dad11af6bd7710e973		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70F3 10084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.