Malicious PDF — malware analysis report

Static analysis result for SHA-256 54db5bc5a7ab7421…

MALICIOUS

PDF

44.1 KB Created: 2020-08-05 22:43:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 241d747177fd9bad93d53de66e798afb SHA-1: 00c530cf6327481c093df2f2ccbbff69dd928ed4 SHA-256: 54db5bc5a7ab742152636e7d2e8d5302664cc88094d94f1312ac1848c06792c8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links, many pointing to benign Shopify domains, but one critical link redirects to `ttraff.com`, a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'medical surgical nursing 13th edition pdf download', suggesting a lure. The presence of a malicious redirector link and the SEO link farm technique strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=medical%20surgical%20nursing%2013th%20edition%20pdf%20download
    • http://kirixo.7220mercantile.com/uploads/1/3/1/4/131409090/tamitumo.pdf
    • http://files.brandtmarineinc.com/uploads/1/3/0/7/130776607/dobori_wetarokurak_mikotefadavobuj.pdf
    • http://files.shoesheartart.com/uploads/1/3/0/8/130815009/sozotutez-watew-papilupone.pdf
    • http://files.crustycap.com/uploads/1/3/0/7/130775350/gumawebek.pdf
    • http://files.trendingtreasuresjewelry.com/uploads/1/3/1/3/131398252/254f5b6484dbf44.pdf
    • https://cdn.shopify.com/s/files/1/0428/8082/7558/files/biwosiwigusotum.pdf
    • https://cdn.shopify.com/s/files/1/0430/6924/3549/files/mejekawolotutalibip.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/6625735131.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xidab.pdf
    • https://cdn.shopify.com/s/files/1/0430/4879/6309/files/basug.pdf
    • https://cdn.shopify.com/s/files/1/0429/6550/0060/files/goxixez.pdf
    • https://cdn.shopify.com/s/files/1/0430/1075/2663/files/bosivitugadifiruvegim.pdf
    • https://cdn.shopify.com/s/files/1/0432/8099/0366/files/lirep.pdf
    • https://cdn.shopify.com/s/files/1/0428/7594/5113/files/fuzonigase.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/texirid.pdf
    • https://cdn.shopify.com/s/files/1/0428/0628/0355/files/xuwutabokub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006420.bin
96d6363a57ec8e1b5840105dc6191ba79bce442e7c55fb675ea6bbebbaa05597		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6420 5728 bytes
font_01_sfnt_off000077b4.bin
daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77B4 1800 bytes
font_02_sfnt_off00008042.bin
8bd8c984d8c1017e2ac9c49c560bf55386ecc65e4d6c26de3b9f812dbd5e2efb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8042 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.