Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b47dedc6b196f54…

MALICIOUS

PDF

65.6 KB Created: 2020-09-04 07:24:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a34762a44e5bb459b1e6a57fddf5edf SHA-1: 577a94e5d089e03448f0930ff60e64e7f15fbbc8 SHA-256: 5b47dedc6b196f545e368cc89a6fa28081fdc9ee490c1de41826080d3ed38b92
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=ccnp+frame+relay+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links to external PDFs, many hosted on Shopify. The document body appears to be obfuscated or corrupted, but the presence of the redirector URL suggests an attempt to lead the user to malicious content, likely for SEO manipulation or phishing purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=ccnp+frame+relay+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0431/0476/4068/files/valisujemusid.pdf
    • https://cdn.shopify.com/s/files/1/0431/5329/3469/files/search_and_filter_pro.pdf
    • https://cdn.shopify.com/s/files/1/0436/3531/0752/files/chemistry_for_dummies.pdf
    • https://cdn.shopify.com/s/files/1/0430/3981/7890/files/lowomakazaxexuk.pdf
    • https://static.usrfiles.com/ugd/87b9a8_5a00c34d37f74d24a56f760622aa439e.pdf
    • https://static.usrfiles.com/ugd/b8c837_827da922098545088a16e3430e65f54c.pdf
    • https://static.usrfiles.com/ugd/dbbfd0_abec53f080ad4012a9fa243403434da8.pdf
    • https://static.usrfiles.com/ugd/2e79a6_fb9f595274894672a1f610db5a354591.pdf
    • https://static.usrfiles.com/ugd/868b90_2ad14f2ceba546d2864acc8e23ce1827.pdf
    • https://static.usrfiles.com/ugd/67f5f7_03046f1fe58d4ffcb1a314cbe121382c.pdf
    • https://static.usrfiles.com/ugd/afbef4_d73f94f9973242a4b286c2228ef38c00.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060b4.bin
8fd175e48262aa88cba67eafced9b737ae6bfaef6be4700522d9ccb68fc7693f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60B4 20364 bytes
font_01_sfnt_off0000a106.bin
aab9edbc7dc4ffe151c5355eef8c788295b5e6516281d97dfaf2f24df32c3e08		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA106 4800 bytes
font_02_sfnt_off0000b137.bin
2a1a1fd99a6e4f7d6ddfa037cdb027dd4d5e43a37a1e6724e7e8c16532bd7dc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB137 10948 bytes
font_03_sfnt_off0000d6c5.bin
354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6C5 16036 bytes
font_04_sfnt_off0000eb2d.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB2D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.