Malicious PDF — malware analysis report

Static analysis result for SHA-256 68bcd1d4c1f4b13e…

MALICIOUS

PDF

53.2 KB Created: 2020-08-11 05:49:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5abd7a32689d2d6e9b3e3be5632bf0d1 SHA-1: f46403f0506680be5d0638b37d047b011718290d SHA-256: 68bcd1d4c1f4b13e52eaab6b47129c5a0a816a82e895cdd7aa465efd3ee3ba1e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many pointing to Shopify domains, suggesting an SEO poisoning or link farm tactic. One critical heuristic identified a link to a known malicious redirector at `https://ttraff.com/pify?keyword=9.+s%25C4%25B1n%25C4%25B1f+bile%25C5%259Fik+%25C3%25B6nermeler+konu+anlat%25C4%25B1m%25C4%25B1+pdf`, indicating a malicious intent to redirect users to harmful content. The document body itself is heavily garbled but contains similar URLs, reinforcing the redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=9.+s%25C4%25B1n%25C4%25B1f+bile%25C5%259Fik+%25C3%25B6nermeler+konu+anlat%25C4%25B1m%25C4%25B1+pdf
    • http://files.vibewithshannon.com/uploads/1/3/1/8/131856769/9551066.pdf
    • http://files.inspiringwonder.com/uploads/1/3/0/7/130739084/c323b05605.pdf
    • http://files.jewelsbytammie.com/uploads/1/3/0/9/130969003/6312798.pdf
    • http://files.nicholebertucci.com/uploads/1/3/0/7/130740141/8397452.pdf
    • http://files.thewholechildmatters.org/uploads/1/3/1/3/131379904/gokokeweda.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0450/7946/2040/files/associative_commutative_and_distributive_properties_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0440/1859/8038/files/dekajodifasejiroximin.pdf
    • https://cdn.shopify.com/s/files/1/0430/0016/8597/files/57659166129.pdf
    • https://cdn.shopify.com/s/files/1/0440/5798/5189/files/2_decimal_places_python.pdf
    • https://cdn.shopify.com/s/files/1/0436/0955/5107/files/tejotanoralofum.pdf
    • https://cdn.shopify.com/s/files/1/0429/3040/5535/files/3570515246.pdf
    • https://cdn.shopify.com/s/files/1/0428/8702/0703/files/26447054492.pdf
    • https://cdn.shopify.com/s/files/1/0430/5597/2501/files/advanced_abstract_algebra_books.pdf
    • https://cdn.shopify.com/s/files/1/0434/5567/6580/files/46815472936.pdf
    • https://cdn.shopify.com/s/files/1/0437/3292/6616/files/24483299700.pdf
    • https://cdn.shopify.com/s/files/1/0432/8187/5112/files/fexadosanibigux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cab.bin
50282ae6b398c6550007f6bbc7507911752da4392849308ca45805a20a6efc86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CAB 2884 bytes
font_01_sfnt_off000076e9.bin
253364bfea364322a41e4d197efe522e8fd89393a145fbb66bbac8590586af4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76E9 5904 bytes
font_02_sfnt_off00008a13.bin
4dcc97986da34cb793d1a460fa3ad798689477710621f366377726fc706281c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A13 12064 bytes
font_03_sfnt_off0000af3d.bin
36f46c45928c54cf8ce2d2f3f2a6d19ee7fccde260513865f1c3320ccc6d6a15		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF3D 16184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.