Malicious PDF — malware analysis report

Static analysis result for SHA-256 44718952b83915de…

MALICIOUS

PDF

64.8 KB Created: 2020-09-09 09:43:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f6b1052d337485c7222990045c3715bf SHA-1: 6cb7a025dee0b363746a142e40311f639515dcc3 SHA-256: 44718952b83915dec96a3d6883523968064bb4344212e0b5f546c3f3f1e59ab2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links, one of which, 'https://ttraff.me/wix?keyword=professional+cv+format+for+marketing+manager', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains text related to a 'professional cv format for marketing manager' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of numerous other links to Shopify, some of which are confirmed benign, indicates a link farm strategy, likely to improve SEO for malicious content or to obscure the primary malicious destination. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=professional+cv+format+for+marketing+manager
    • https://cdn.shopify.com/s/files/1/0432/5212/1762/files/aimbot_gta_san_andreas.pdf
    • https://cdn.shopify.com/s/files/1/0441/2620/8152/files/ck2_cathar_guide.pdf
    • https://cdn.shopify.com/s/files/1/0434/7976/1061/files/busuu_premium_apk_latest.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/14981909947.pdf
    • https://cdn.shopify.com/s/files/1/0436/7400/9753/files/how_to_cartoon_a_picture_in_photoshop_cs4.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/87932640634.pdf
    • https://cdn.shopify.com/s/files/1/0432/4111/1707/files/broseley_songs_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/2171/4079/files/doxebunomitejuzepodulaf.pdf
    • https://cdn.shopify.com/s/files/1/0431/5165/5076/files/tanovepesepogafimamimoge.pdf
    • https://cdn.shopify.com/s/files/1/0432/0333/0208/files/14475818643.pdf
    • https://cdn.shopify.com/s/files/1/0435/7819/6129/files/17055249514.pdf
    • https://cdn.shopify.com/s/files/1/0428/1293/2255/files/87242636111.pdf
    • https://static.usrfiles.com/ugd/85c99c_44ada57dcd2f4c74a17cd0d6714b0b99.pdf
    • https://static.usrfiles.com/ugd/b8c837_0d3b63bcdbf74a9598dfa35d38f729b7.pdf
    • https://static.usrfiles.com/ugd/6a7407_4344749e297c423ea71d87f92a21bee0.pdf
    • https://static.usrfiles.com/ugd/06497e_fa2a023089c747e295ff7974eac6eded.pdf
    • https://static.usrfiles.com/ugd/41a0b6_3d6c65dfd6da418bb13a36bac7dc62c9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b249.bin
4789d23a85f8c98f4ea7df5445a31eeed42c6b81dad2b09201920aa996d5b5f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB249 5116 bytes
font_01_sfnt_off0000c397.bin
3c9c69aba6dc8ae9346cf3d45e66d2f32174c03b98bf41f5015f9aec3cd2e395		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC397 10580 bytes
font_02_sfnt_off0000e7bd.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7BD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.