Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d4b87c5fad773be…

MALICIOUS

PDF

31.6 KB Created: 2020-09-01 08:21:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3379824032d89cc8f32acfe55f082eb3 SHA-1: 8b8358c84d2ffdac8500c568ab1af8de13f3b1a3 SHA-256: 5d4b87c5fad773be84bb970b7b0a4f83fe3930ffa947e03f842187f5f6b0abdc
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF is designed as a lure, presenting itself as a 'Mckinsey quarterly report pdf' but containing a full-page image with a hidden clickable link. The primary malicious link, https://ttraff.me/wix?keyword=mckinsey+quarterly+report+pdf, is identified as a known malicious redirector. The document also contains a large number of links to other PDFs hosted on Shopify, likely for SEO manipulation or to obscure the primary malicious destination. No scripts were extracted, but the overall structure and the malicious redirector strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 31 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=mckinsey+quarterly+report+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0440/9052/3813/files/52855863276.pdf
    • https://cdn.shopify.com/s/files/1/0436/6172/1765/files/84099424119.pdf
    • https://cdn.shopify.com/s/files/1/0438/0491/7917/files/black_swan_putlocker.pdf
    • https://cdn.shopify.com/s/files/1/0428/6667/1782/files/75434871422.pdf
    • https://cdn.shopify.com/s/files/1/0428/3914/6662/files/livingston_county_mo_sheriff_reports.pdf
    • https://cdn.shopify.com/s/files/1/0429/6366/5055/files/29300924608.pdf
    • https://cdn.shopify.com/s/files/1/0431/1403/7397/files/video_bhajan_site.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zawitowawipujeko.pdf
    • https://cdn.shopify.com/s/files/1/0429/2398/3015/files/tapekodabadapoto.pdf
    • https://cdn.shopify.com/s/files/1/0434/7727/0678/files/86751202061.pdf
    • https://static.usrfiles.com/ugd/20d83a_5903da085b854e99be9e6024ea5e373c.pdf
    • https://static.usrfiles.com/ugd/5a1791_1f2a4be2c8e34004b831ffd4019e39f4.pdf
    • https://static.usrfiles.com/ugd/96bf9d_ce8794b0daf545b7a5f434142bc1a6e4.pdf
    • https://static.usrfiles.com/ugd/9b33c5_c4986956b76543a2b58b998ccdf325c1.pdf
    • https://static.usrfiles.com/ugd/b8c837_976bd660bdee4d7788f013bdd62a5954.pdf
    • https://cdn.shopify.com/s/files/1/0432/9373/7118/files/donde_estan_esos_amigos.pdf
    • https://cdn.shopify.com/s/files/1/0429/1824/8601/files/bazow.pdf
    • https://cdn.shopify.com/s/files/1/0434/4256/9368/files/21247348818.pdf
    • https://cdn.shopify.com/s/files/1/0436/5362/8062/files/9119963866.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000449c.bin
2447e2adafb202a640299a749a6c01599ac52f309550700889f54c65b78d930f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x449C 5444 bytes
font_01_sfnt_off00005748.bin
5913d1b87901877d17228a30770fc47f865732d56f71b5d2ac094e4431842fe5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5748 7760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.