Malicious PDF — malware analysis report

Static analysis result for SHA-256 49aa2f07d5e5f660…

MALICIOUS

PDF

52.5 KB Created: 2020-08-30 22:22:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fd56fe4862f91c1973ef8a472e1237fd SHA-1: f27c2816e9848cbd03c6e6c42dfde515ddce97b1 SHA-256: 49aa2f07d5e5f66027d505215a4a48450e3573c984d1073c3ad52e5cfc81d186
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=aplicaciones+de+los+logaritmos'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on cdn.shopify.com. The ML classifier strongly flagged this PDF as malicious. The document body contains the same malicious URL and a benign-looking PDF filename, suggesting a lure to trick users into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=aplicaciones+de+los+logaritmos
    • https://cdn.shopify.com/s/files/1/0430/5872/5015/files/vojileritilarififadiji.pdf
    • https://cdn.shopify.com/s/files/1/0433/3774/4552/files/call_of_cthulhu_character_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0434/7727/0692/files/civil_engineering_drawing_download.pdf
    • https://static.usrfiles.com/ugd/865d50_afe468817f304ce8ad28725967d79982.pdf
    • https://static.usrfiles.com/ugd/4b7290_f1aacdc08817471593ceeed41fc44dda.pdf
    • https://static.usrfiles.com/ugd/0d002d_630ccd81e36f4621ad087cee1ba64cd3.pdf
    • https://static.usrfiles.com/ugd/df4650_d0ca8978990e484ebaa361a148ab9c8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1ecea4fb2ef4005905eea90850c4860.pdf
    • https://cdn.shopify.com/s/files/1/0429/3728/6812/files/body_beast_diet_plan.pdf
    • https://cdn.shopify.com/s/files/1/0430/8697/1029/files/apache_server_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0432/1312/7844/files/62117819028.pdf
    • https://cdn.shopify.com/s/files/1/0429/6772/8279/files/autosar_bsw_makefile_interface.pdf
    • https://cdn.shopify.com/s/files/1/0435/2340/8023/files/da_form_1594.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bef.bin
c80b935bb2e72fbf0bb54bead4dcf673e2ee9ff5a06d35ab91e29c0786333a85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BEF 1696 bytes
font_01_sfnt_off00007419.bin
2df438616abca967a07d4760f4f337511a5202c2b6df5653169d5480c8bf77d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7419 5380 bytes
font_02_sfnt_off0000863f.bin
5d5f850f260fec6675285033125e55728775c2a0db5606fa8c501e84ec5de678		 pdf-font-stream PDF embedded font (sfnt) at offset 0x863F 11824 bytes
font_03_sfnt_off0000aceb.bin
f54df4aafadc1a1528d683a257ea84fd1246cd35e702780e4edff2a010127ad2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACEB 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.