Malicious PDF — malware analysis report

Static analysis result for SHA-256 5249d779583fe94e…

MALICIOUS

PDF

64.5 KB Created: 2020-08-31 03:23:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c86cb2fb117d719c99aa20228bf9f1b0 SHA-1: d2a4def9acde60bfe2285a2d19519b5aadc27c9f SHA-256: 5249d779583fe94e0c62055a8cb4cd2208e3e1dbda43f9b66b9093c2d45f2682
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to "https://ttraff.cc/wix?keyword=sigma+notation+worksheet". This URL is presented within the document body, suggesting a lure to trick the user into clicking it. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to Shopify domains, likely for SEO manipulation to improve the ranking of the malicious redirector. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=sigma+notation+worksheet
    • https://cdn.shopify.com/s/files/1/0427/9471/3244/files/neuroblastoma_histopathology.pdf
    • https://cdn.shopify.com/s/files/1/0434/7727/0678/files/31578940433.pdf
    • https://cdn.shopify.com/s/files/1/0461/9114/9207/files/76183867977.pdf
    • https://cdn.shopify.com/s/files/1/0435/9992/1315/files/56469100032.pdf
    • https://cdn.shopify.com/s/files/1/0429/6772/8279/files/pdf_to_editable_word_document_converter_free.pdf
    • https://cdn.shopify.com/s/files/1/0461/7420/8163/files/akira_movie_english_subtitle_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/0056/9753/files/portal_still_alive_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0431/5673/4109/files/33719916663.pdf
    • https://static.usrfiles.com/ugd/516793_9cb1e79773b043439f6d386e6ee83ac5.pdf
    • https://static.usrfiles.com/ugd/b8c837_d60ebab9554d4247b20a0034793baf23.pdf
    • https://cdn.shopify.com/s/files/1/0429/8830/6586/files/gejosedoteso.pdf
    • https://cdn.shopify.com/s/files/1/0431/9546/5892/files/feasibility_report_on_poultry_farming.pdf
    • https://cdn.shopify.com/s/files/1/0427/3248/6823/files/vizio_direct_tv_remote_codes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063bc.bin
d8aac24e6e23d6c3b50ddf78e75c6f56c8882a4bb1b8aba48cc381ea7f5cc53a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63BC 7812 bytes
font_01_sfnt_off00007d77.bin
0193c5c66da104de5168f83d1d2c3ad9431c911da8fbbc15b69745f38f0436bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D77 3036 bytes
font_02_sfnt_off00008841.bin
59f33592d700e91f105d28e1462a3c7d1e287595fb47d7ba56f4ddc0875379f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8841 5116 bytes
font_03_sfnt_off0000997f.bin
edc7dfbc9218772427e5b300bddfc17ec45ee5a7166f51d13ff92165e39dd15c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x997F 8732 bytes
font_04_sfnt_off0000aa92.bin
0bf02b0ffc45a949d6bb29484a6ae99bceaa33c43d4646140882dc243b58e117		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA92 11780 bytes
font_05_sfnt_off0000d0bb.bin
1513cff1140ee46b119fd1f1a8d89226c35fa745519edd36504e398b791a408b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0BB 16084 bytes
font_06_sfnt_off0000e566.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE566 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.