Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b49495ba2621fc8…

MALICIOUS

PDF

40.1 KB Created: 2020-09-18 07:47:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd314bd260887ea7dda704bfd00f0ab8 SHA-1: c02295ccd23db98baaaf2f5aa2660fd9030e2448 SHA-256: 7b49495ba2621fc8419c679fb09c4168a89fa518def68f10536552821b9c9282
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains numerous links to external websites, including a known malicious redirector. The document body, though partially corrupted, suggests a lure related to a 'Pampered Chef' warranty, indicating a phishing or scam attempt. The presence of a link farm on disposable hosting further supports the malicious intent of directing users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=pampered+chef+salad+chopper+warranty
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://66d1b79d-b33e-4f03-83fd-1c541f0016fa.filesusr.com/ugd/0e2875_f5a98f6c1a604ca9a32256186208218f.pdf?index=true
    • https://2ed2c543-a14c-4886-8003-d6cad266a829.filesusr.com/ugd/db93e9_ef1809f17f744129b50aec9b5000d723.pdf?index=true
    • https://6cb0d609-7f9e-4b52-b757-ef04aa9545a6.filesusr.com/ugd/895bef_39a4eea90b634b6ebe905d17908af1d5.pdf?index=true
    • https://178212e0-30a3-47e6-9211-f57d09efa7e0.filesusr.com/ugd/6350c7_dc47f2ddc53c4a538818fe820a29dde3.pdf?index=true
    • https://a500c4aa-0e31-4535-b8ec-a1a23a1f3929.filesusr.com/ugd/cc089a_80e3b0f8a55f4b1fbbfe1716ba526899.pdf?index=true
    • https://a1bc8fb5-b5c1-4635-9e01-8d2550790ef1.filesusr.com/ugd/e2f7e1_f5d351da00df40888c08364de91e8d58.pdf?index=true
    • https://96424052-5321-4814-b0c0-7a1923ae4465.filesusr.com/ugd/18ee90_de74a69a5980494fa701b815e6020b36.pdf?index=true
    • https://17d79742-f893-4baf-bf17-9c612fd03759.filesusr.com/ugd/bfbc46_c334a28197354c31a0021f21b938ac8f.pdf?index=true
    • https://63890aa3-f3ab-4154-9ab1-a206a997f056.filesusr.com/ugd/a474dd_7bd3f9c146e94246ac58039e7f4e2a6a.pdf?index=true
    • https://b3a7290a-548b-4c36-8df7-e0448b33569b.filesusr.com/ugd/7d21c0_952d4947e541475ebe32d23780d55954.pdf?index=true
    • https://abd83e1a-732c-4d37-b6f3-afed68e33dff.filesusr.com/ugd/882da0_1360146ff3a44b209e0ccd06b8f763de.pdf?index=true
    • https://3265828a-d014-4e39-9542-a4f50c512da1.filesusr.com/ugd/735189_878bb4b7a66f49ec936b10e54b5c1ca6.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/9687/3885/files/19022902039.pdf
    • https://cdn.shopify.com/s/files/1/0429/8748/7385/files/riwulaguzojuparex.pdf
    • https://cdn.shopify.com/s/files/1/0462/7877/0848/files/angamaly_diaries_band_bgm.pdf
    • https://cdn.shopify.com/s/files/1/0436/8793/6150/files/attestation_d_hbergement_pour_la_banque_postale.pdf
    • https://cdn.shopify.com/s/files/1/0438/1281/5008/files/87151361280.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059de.bin
d46968363594561ee58dc4c4133a1cb6e5dd853c0a57a45cabcc8a3e5788ca96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59DE 5592 bytes
font_01_sfnt_off00006ccf.bin
a5b0d1deb6350bd2dc6e0626af4c91973a7491f770740f4377fa17e29f2cf1f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CCF 10976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.