Malicious PDF — malware analysis report

Static analysis result for SHA-256 7125606254c6c637…

MALICIOUS

PDF

32.5 KB Created: 2020-08-25 08:08:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d7e47b5499e02352bf850d2635f4fc6a SHA-1: c30ad0719da53ae1c9ca8a5b497143c46ea58145 SHA-256: 7125606254c6c63763f84a8778d08f8b04ae1de60c0f3b37e9932ea224d35bcb
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for linking to known malicious redirector infrastructure, specifically pointing to 'https://ttraff.com/pify?keyword=bowling+ball+drilling+layout+sheet'. The document body, though partially corrupted, contains text related to 'bowling ball drilling layout sheet' and the malicious URL, suggesting a lure. The presence of numerous embedded URLs, many linking to Shopify, indicates a potential link farm or SEO manipulation tactic to distribute malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bowling+ball+drilling+layout+sheet
    • http://files.rotterdamenglishspeakingtheatre.nl/uploads/1/3/1/4/131408432/2855680.pdf
    • http://files.justanhrgirl.com/uploads/1/3/1/1/131164573/5503410.pdf
    • http://files.suzi-little.com/uploads/1/3/0/9/130969046/c4449ffdf0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/3367/3380/files/49510431233.pdf
    • https://cdn.shopify.com/s/files/1/0433/3328/8088/files/tanavetifavixuwavor.pdf
    • https://cdn.shopify.com/s/files/1/0430/6337/8081/files/angular_2_material_form_control.pdf
    • https://cdn.shopify.com/s/files/1/0438/1379/8050/files/42588719985.pdf
    • https://cdn.shopify.com/s/files/1/0428/9950/5311/files/52653138640.pdf
    • https://cdn.shopify.com/s/files/1/0432/6467/1909/files/makidajilekisunemaguvunaz.pdf
    • https://cdn.shopify.com/s/files/1/0428/5222/1084/files/savabuvujobaxude.pdf
    • https://cdn.shopify.com/s/files/1/0431/3900/6632/files/types_of_weather_worksheets_for_grade_3.pdf
    • https://cdn.shopify.com/s/files/1/0447/7422/8117/files/apps_apple_store_uk.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vakijuxek.pdf
    • https://cdn.shopify.com/s/files/1/0432/6237/8152/files/4433291195.pdf
    • https://cdn.shopify.com/s/files/1/0431/3609/0273/files/49177236261.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000433a.bin
7611508f07d750be3b7cd1b179430c2e7709b5f8730de0126203609e25d98e24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x433A 5472 bytes
font_01_sfnt_off000055d8.bin
4d185efd87727ab50be2657a2a5e1b55bc624ee1dce5a69db3da0fac1965c21e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55D8 9244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.