Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a1e4ddfec916d23…

MALICIOUS

PDF

37.3 KB Created: 2020-09-01 01:43:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 277acecedf235ba1ff8c4633af532738 SHA-1: defe3a234cd662b784c07a11cd9d5323b35785ff SHA-256: 7a1e4ddfec916d231e2d6a1bff737ebd5f7dbc0c0b504579026583eb17a317be
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, many pointing to benign Shopify URLs, but one critical link directs to a known malicious redirector. The document body text, though garbled, includes the phrase "5ml roller bottle label template" and the malicious URL, suggesting a lure to a phishing or scam page. The ML classifier strongly indicated maliciousness, and the PDF structure itself is flagged for containing a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=5ml+roller+bottle+label+template
    • https://cdn.shopify.com/s/files/1/0435/8239/0431/files/fakigusizevomuvulax.pdf
    • https://cdn.shopify.com/s/files/1/0463/0803/2669/files/26480574234.pdf
    • https://cdn.shopify.com/s/files/1/0431/8691/3437/files/geporakajajikofogage.pdf
    • https://static.usrfiles.com/ugd/b11f6d_37316488b47d424f95f9cac1ea1931e5.pdf
    • https://static.usrfiles.com/ugd/b8c837_c025833d1d234c23969e4c6b46ed53dd.pdf
    • https://static.usrfiles.com/ugd/c618e9_3130ab7c534b4404baa59edc0db92c9a.pdf
    • https://static.usrfiles.com/ugd/49be48_2a45f293d719410f943e9a1b6645d6f2.pdf
    • https://static.usrfiles.com/ugd/ab059d_983feeab3dad44d4926b6477289412bb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000557c.bin
e897f5d07eb61ed41b83a7501e9faaa2ef81d11e5573b7ebae1f1ebaf1cf946c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x557C 4956 bytes
font_01_sfnt_off0000663e.bin
9378896d10d6f0e2a0ecdc4a0ee8051c9085e723da5c3e25c1db87875fdc6308		 pdf-font-stream PDF embedded font (sfnt) at offset 0x663E 10212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.