Malicious PDF — malware analysis report

Static analysis result for SHA-256 5af5f3f7febe7794…

MALICIOUS

PDF

60.7 KB Created: 2020-08-30 12:48:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f84da704a6363e74f844c41c771b85dc SHA-1: 7175877acfe8f02c74cf22355ce06b61976442a8 SHA-256: 5af5f3f7febe7794f287ca85f46e4d69385628eb2ef21f26695e5ed7d3ee0c09
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm and a direct link to a known malicious redirector, disguised as an 'email extractor lite' tool. The ML classifier strongly flagged this PDF as malicious. The presence of numerous embedded URLs, many pointing to Shopify and static hosting, suggests a link farm designed to obscure the ultimate destination, which is the malicious redirector at 'ttraff.me'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=email+extractor+lite1+6
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.indictrans.org
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0429/3741/7891/files/jezexuxubowojutatusefera.pdf
    • https://cdn.shopify.com/s/files/1/0435/0260/0356/files/wazunituvoramam.pdf
    • https://cdn.shopify.com/s/files/1/0429/3849/9235/files/ferasigipux.pdf
    • https://cdn.shopify.com/s/files/1/0437/2919/1066/files/deforestation_and_global_warming.pdf
    • https://static.usrfiles.com/ugd/36f25b_b7d42dcefc114ad08da2df26d562d3f5.pdf
    • https://static.usrfiles.com/ugd/69b86f_47e3971ca7b7406bb832794d58cb47a1.pdf
    • https://static.usrfiles.com/ugd/defcb2_c44b5d1afbcf48729315e76328796c9f.pdf
    • https://static.usrfiles.com/ugd/73cb9e_311f499e54804819afb55916ea39d9b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_d7abb618046a4f458bb58e871afd2125.pdf
    • https://cdn.shopify.com/s/files/1/0440/1404/3294/files/80818281544.pdf
    • https://cdn.shopify.com/s/files/1/0435/3985/7563/files/14537367382.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00009ec0.bin
63f9975fbdc72200dc532fdc6609e084504f85715e07286aea729988dcee2a94		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9EC0 21968 bytes
font_00_sfnt_off000053b6.bin
059ebc6fdaa2a0b923d882effe481d9d77ff7628687bcb73e812e848183467a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53B6 5000 bytes
font_01_sfnt_off000064a0.bin
b6297628564c97c30bae6f3a5042d45634c7eb01c4408fcd368047f7ec46c37a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64A0 4620 bytes
font_02_sfnt_off00007365.bin
f58b9c44e1fad19011fef4bf478cd8d58c89744c87b4270cee79cd7c12fa6da6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7365 13092 bytes
font_04_sfnt_off0000c4db.bin
558d465559d0bc4234eb8f30ce64fc8d3eb903326ab08f19913929050f445131		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC4DB 3792 bytes
font_05_sfnt_off0000d389.bin
806c3ea6c89dc902f650ddafe7672f5faf04422371e039d5a6c687f1a73da5c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD389 4040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.