Malicious PDF — malware analysis report

Static analysis result for SHA-256 5eb1e8ca08effda4…

MALICIOUS

PDF

39.3 KB Created: 2020-08-06 20:40:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe039395c407bf2ed3e5c4607dcdd93e SHA-1: 30a6d1da3aed8125807a629cf6b712eed357e723 SHA-256: 5eb1e8ca08effda4d7dfa42ed4273889464bf8adca9103fffb318179ce341631
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, including a primary redirector at 'https://ttraff.com/pify?keyword=principles+of+auditing+book+pdf'. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms this URL points to malicious infrastructure. The document body, though heavily obfuscated, also contains this URL and other links to Shopify-hosted PDFs, suggesting a link farm or SEO poisoning tactic to drive traffic to malicious sites. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=principles+of+auditing+book+pdf
    • http://kimejavi.efwcjb.com/uploads/1/3/1/6/131606027/6c5ea.pdf
    • http://vufisi.wnyccda.org/uploads/1/3/1/3/131379730/3654183.pdf
    • http://xobof.ginjalionart.com/uploads/1/3/0/7/130775997/7565265.pdf
    • http://pimaki.spanishduluth.com/uploads/1/3/1/0/131070331/814f958a4.pdf
    • http://files.easthamptonmabouncehouserentals.com/uploads/1/3/1/3/131398264/kozodewetirevak-bozuri-nujapenaviwivow.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/9633/4753/files/kaplan_property_and_casualty.pdf
    • https://cdn.shopify.com/s/files/1/0427/6033/9623/files/jokuwoxopukuvogonotojirab.pdf
    • https://cdn.shopify.com/s/files/1/0431/3009/3728/files/vedekebu.pdf
    • https://cdn.shopify.com/s/files/1/0443/2130/8828/files/antonyms_words_list_with_meaning.pdf
    • https://cdn.shopify.com/s/files/1/0429/4252/9695/files/3630788364.pdf
    • https://cdn.shopify.com/s/files/1/0439/3621/9291/files/ts_16949_standards.pdf
    • https://cdn.shopify.com/s/files/1/0431/1675/7153/files/wimananesivugidire.pdf
    • https://cdn.shopify.com/s/files/1/0430/5394/0887/files/13259720933.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/581871399.pdf
    • https://cdn.shopify.com/s/files/1/0434/0062/6341/files/91682198155.pdf
    • https://cdn.shopify.com/s/files/1/0428/9799/7991/files/69007973498.pdf
    • https://cdn.shopify.com/s/files/1/0432/7079/9510/files/fipik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005af2.bin
5d907dc10d6ae4d99d69f1d686280522f9d004cdef9b3079c313bc7fc7c5ad90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AF2 5528 bytes
font_01_sfnt_off00006dc8.bin
d2cfcc813488bd0c5199910a30bb2ed6b2c541b56eeed3f0ee8d216413a3bdfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DC8 10184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.