Malicious PDF — malware analysis report

Static analysis result for SHA-256 4041c66e0b12747c…

MALICIOUS

PDF

34.9 KB Created: 2020-08-29 21:05:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f68786a4ac252996d1c09cf5a04057b2 SHA-1: f9e6439e555a9aa81039297f8cca49e5060e9c62 SHA-256: 4041c66e0b12747cd08ea01728905f15899ce1d0fa1668c2c43260bb4f654ac3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a significant number of embedded links, with one pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.link/wix?keyword=puu+sh+ihbp6+jpg' which is flagged as malicious. Additionally, numerous links to Shopify-hosted PDFs were extracted, suggesting a link farm or SEO manipulation tactic. The ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=puu+sh+ihbp6+jpg
    • https://cdn.shopify.com/s/files/1/0431/2589/9426/files/honda_xr2600_engine_manual.pdf
    • https://cdn.shopify.com/s/files/1/0427/5824/2470/files/waxawemozuketuzurowufunow.pdf
    • https://cdn.shopify.com/s/files/1/0429/2762/0249/files/16919402192.pdf
    • https://cdn.shopify.com/s/files/1/0462/6985/7941/files/67669528960.pdf
    • https://cdn.shopify.com/s/files/1/0428/4186/6403/files/zeretusaboxunalix.pdf
    • https://static.usrfiles.com/ugd/0779a3_bca5d344e3f2443d839617e6b1fadf1d.pdf
    • https://static.usrfiles.com/ugd/b8c837_1fd470b8877947c292e1a654f1a01b2e.pdf
    • https://static.usrfiles.com/ugd/b8c837_a4a1e0df20a64ef7af329f888e2a8ee7.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b1d0a83b5f24a71985914db063d5bbf.pdf
    • https://cdn.shopify.com/s/files/1/0457/9164/1766/files/vehicle_registration_information_telangana.pdf
    • https://cdn.shopify.com/s/files/1/0430/8258/0130/files/dobiporigopiwa.pdf
    • https://cdn.shopify.com/s/files/1/0430/3139/6501/files/lolevotigupedemiban.pdf
    • https://cdn.shopify.com/s/files/1/0427/4470/9276/files/basic_human_anatomy_roberto_osti.pdf
    • https://cdn.shopify.com/s/files/1/0429/2729/2582/files/letewesuxebud.pdf
    • https://cdn.shopify.com/s/files/1/0431/4031/7350/files/tumisolusiz.pdf
    • https://cdn.shopify.com/s/files/1/0436/1230/7618/files/coordonnes_polaires_vitesse.pdf
    • https://cdn.shopify.com/s/files/1/0460/0424/0543/files/rinotu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xigazisamakolomomabixefox.pdf
    • https://cdn.shopify.com/s/files/1/0435/1442/9608/files/31231592076.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b0d.bin
3515cb370fef655dccef473eda1a851b6129b360a03964eda5028773e33089c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B0D 5112 bytes
font_01_sfnt_off00005c6d.bin
e323d86bb65dfb055214fc9871f5b77ae02a95b563ed0b22e530899bc246b1cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C6D 10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.