Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b535958da4e2a29…

MALICIOUS

PDF

38.0 KB Created: 2020-08-05 15:48:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4924ce26311661869c73d47e9b5a578d SHA-1: febceaa47192d2301afd0462038161de47c3814c SHA-256: 6b535958da4e2a2913a07f912c0f6ff75fc2f5ca3dab5e10a3d3bbcbf50432c0
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of embedded external links, with one specifically identified as a malicious redirector. The document body, though obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=acls+card+pdf', which is a known malicious redirector. The presence of numerous links, many pointing to Shopify domains, suggests an attempt to obscure the final malicious destination and potentially engage in SEO link farming for malicious purposes. No scripts were extracted, but the embedded links are sufficient to indicate a malicious intent to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=acls+card+pdf
    • http://files.bardstowncf.org/uploads/1/3/1/4/131453177/renepu.pdf
    • http://files.nigel.higson.ca/uploads/1/3/0/7/130739343/tikekujobujapegujezu.pdf
    • http://files.fourpointsinc.org/uploads/1/3/2/3/132303320/kobenafo.pdf
    • http://files.paqu.org/uploads/1/3/1/8/131871894/vibofukupu_ruzererijolibij.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/8165/4687/files/51920803324.pdf
    • https://cdn.shopify.com/s/files/1/0434/4122/5880/files/amsterdam_tourist_map_english.pdf
    • https://cdn.shopify.com/s/files/1/0439/2235/8427/files/36427900441.pdf
    • https://cdn.shopify.com/s/files/1/0428/5743/1196/files/42465994748.pdf
    • https://cdn.shopify.com/s/files/1/0432/1653/5720/files/44528057331.pdf
    • https://cdn.shopify.com/s/files/1/0435/8812/4830/files/dubivazifoxejudedu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/38746106010.pdf
    • https://cdn.shopify.com/s/files/1/0431/4952/5156/files/vewimupu.pdf
    • https://cdn.shopify.com/s/files/1/0430/8277/6725/files/wigunijabon.pdf
    • https://cdn.shopify.com/s/files/1/0432/4923/8178/files/99100024636.pdf
    • https://cdn.shopify.com/s/files/1/0432/2449/8333/files/92797483215.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000558d.bin
adc8e8451a556772cdf35e93f4f3b3aaff13f83904cb2672e6cbc28d9d36da62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x558D 5140 bytes
font_01_sfnt_off0000671a.bin
7d8d549c84e832245e7080286c7ac15970f32371ac2ac59e8fb1bcb1e6aacf6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x671A 10672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.