Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c2c5b0dcc86cc5c…

MALICIOUS

PDF

42.3 KB Created: 2020-08-02 23:02:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d6ba0453b464e5f96958616f7706c5b8 SHA-1: fb3e447e7e8593a27ccfe5e96e46baa37429459e SHA-256: 4c2c5b0dcc86cc5c24a8f4c02a84c9e6e660fc2ab3dadcad3945819ef4421202
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier as malicious and contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.cc/pify?keyword=facebook+chat+heads'. The document body contains garbled text along with the redirector URL and several Shopify URLs, suggesting a content-scrambling or obfuscation technique. The primary intent appears to be SEO manipulation or redirecting users to malicious content through a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=facebook+chat+heads
    • http://files.lphschoirs.org/uploads/1/3/0/9/130969728/c5a4efa43dd4.pdf
    • http://files.fountainoflifeministrieshavelock.org/uploads/1/3/1/8/131871816/bf10e1.pdf
    • http://files.hearttohand.com/uploads/1/3/1/4/131413718/fukubipejibej-ketuxavizabe-guxafamikoz.pdf
    • http://files.dioneoil.com/uploads/1/3/0/8/130874010/puvujosesa_tafolo.pdf
    • http://files.brunswicknaturesculpturewalk.com/uploads/1/3/1/4/131437044/789783.pdf
    • https://cdn.shopify.com/s/files/1/0433/2997/8526/files/femevijukorexirep.pdf
    • https://cdn.shopify.com/s/files/1/0430/0128/2711/files/lodusabivafanexufuzumolu.pdf
    • https://cdn.shopify.com/s/files/1/0430/6200/1821/files/gidotalumimetoxa.pdf
    • https://cdn.shopify.com/s/files/1/0435/3854/6840/files/sadusameliwiwivagavagetir.pdf
    • https://cdn.shopify.com/s/files/1/0432/7315/8821/files/43652050998.pdf
    • https://cdn.shopify.com/s/files/1/0430/3791/7345/files/fabivanuludilidilanodip.pdf
    • https://cdn.shopify.com/s/files/1/0437/0097/7816/files/56134160426.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/3785448733.pdf
    • https://cdn.shopify.com/s/files/1/0434/5351/3880/files/segubumizifebubijogexusa.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/63529720688.pdf
    • https://cdn.shopify.com/s/files/1/0437/3915/2536/files/onkyo_tx-_nr545_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/6598/3655/files/92351291734.pdf
    • https://cdn.shopify.com/s/files/1/0433/7877/0078/files/fezufezefenuritikuxobu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006998.bin
e01c623aa832a53969f90727b78190b1d5df479c2784c1bde501d4b63601d619		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6998 5056 bytes
font_01_sfnt_off00007ac2.bin
432b840b9a071659259f74b6b23771ff341b6e2568b12d6fc1e57f3a63256ddc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AC2 9872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.