Malicious PDF — malware analysis report

Static analysis result for SHA-256 564e3694b02f3281…

MALICIOUS

PDF

41.7 KB Created: 2020-08-31 01:43:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f137dc6b2f534cab2c6e76e4ad32b7e1 SHA-1: d64d05c3f5015916a792534682bbf5368c52a0bb SHA-256: 564e3694b02f3281091ab2956332a64109e75220ef98c8fe5fc61e8359931046
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

This PDF file contains a significant number of embedded links, many pointing to Shopify domains, suggesting an attempt to create a link farm for SEO manipulation. One prominent link, 'https://ttraff.com/wix?keyword=sat+prep+black+book+mike+barrett', is identified as a malicious redirector. The document body, though heavily obfuscated, contains references to study materials and the malicious URL, reinforcing the lure. The presence of a malicious redirector link and the sheer volume of outbound links indicate a high likelihood of malicious intent, likely to drive traffic to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=sat+prep+black+book+mike+barrett
    • https://cdn.shopify.com/s/files/1/0434/8392/2585/files/interpersonal_communication_3rd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0431/5653/7493/files/89910381886.pdf
    • https://cdn.shopify.com/s/files/1/0454/6048/8350/files/wajesanaperij.pdf
    • https://cdn.shopify.com/s/files/1/0437/7398/4919/files/blood_group_test_report.pdf
    • https://cdn.shopify.com/s/files/1/0435/2176/9627/files/bootcamp_for_macbook_air_2017.pdf
    • https://cdn.shopify.com/s/files/1/0430/9087/0423/files/33066736086.pdf
    • https://cdn.shopify.com/s/files/1/0439/2579/9067/files/potutafomofuwutomiw.pdf
    • https://cdn.shopify.com/s/files/1/0438/2870/7488/files/hypothesis_about_tardiness_of_students.pdf
    • https://cdn.shopify.com/s/files/1/0435/8009/6667/files/cadbury_worm_case_study.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/90841244024.pdf
    • https://cdn.shopify.com/s/files/1/0428/1411/1903/files/veruget.pdf
    • https://static.usrfiles.com/ugd/b8c837_4646e54ddc0649e38460ee08418bcde8.pdf
    • https://static.usrfiles.com/ugd/3cb679_82d24a59be8c4691bda9623d180e6a16.pdf
    • https://static.usrfiles.com/ugd/63022f_8781473afeaf429abd4ec3479b906788.pdf
    • https://static.usrfiles.com/ugd/b8c837_fc9fbe74a5f4431db8ba452051342171.pdf
    • https://static.usrfiles.com/ugd/b8c837_c558778b550b43acad83bc9fa711904b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006479.bin
9b4fdc8e3ca3b8439fca8cfde63a38effc0c5d1d4f4c6413fbc893be2df593b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6479 5208 bytes
font_01_sfnt_off00007619.bin
ae5018d2137eca0447545663908ea306be034941c42e3b633ff232b008b1255e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7619 10292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.