Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d8734b7eee8b2fb…

MALICIOUS

PDF

38.9 KB Created: 2020-08-04 18:54:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c33071cccb3541fa9f256675ae4c07b SHA-1: a3e76f5981779454d7d9bfc504327b78d5fbbfd6 SHA-256: 7d8734b7eee8b2fbe14434d58ce5d8856b8ac270b8e76d876296452abf4334d1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for linking to known malicious redirector infrastructure, specifically the URL https://ttraff.cc/pify?keyword=basic+english+grammar+book+3+pdf. It also exhibits characteristics of a PDF link farm, with numerous external links, many pointing to Shopify domains. The document body, though heavily obfuscated, contains the same malicious URL and benign-looking PDF titles, suggesting a lure to trick users into clicking through to potentially malicious content. No scripts were extracted, but the presence of embedded URLs and the redirector link strongly indicate a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=basic+english+grammar+book+3+pdf
    • http://files.globaluplift.com/uploads/1/3/1/4/131437330/a92e724.pdf
    • http://pebedoro.burbgarden.com/uploads/1/3/1/3/131379706/5105012.pdf
    • http://files.birthblissdoulacourses.co.uk/uploads/1/3/0/9/130969801/dojikoboguv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0431/3110/9540/files/buxomejatomifugojo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/67331216746.pdf
    • https://cdn.shopify.com/s/files/1/0433/5874/8837/files/89446439767.pdf
    • https://cdn.shopify.com/s/files/1/0434/7723/7913/files/22000401488.pdf
    • https://cdn.shopify.com/s/files/1/0432/2351/5294/files/78060304737.pdf
    • https://cdn.shopify.com/s/files/1/0428/0070/9791/files/pixalarakoxabufage.pdf
    • https://cdn.shopify.com/s/files/1/0433/3699/0885/files/xojijefavufubaw.pdf
    • https://cdn.shopify.com/s/files/1/0430/7048/8730/files/14183935218.pdf
    • https://cdn.shopify.com/s/files/1/0430/6360/7445/files/86312409287.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004817.bin
bacf97fa6b37908e885bef9a7df5b7ec135eafbcffe9fb647d506e197ef01d3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4817 5692 bytes
font_01_sfnt_off00005b28.bin
ab6fd6630b21360f0285b1b41babac1bcd87d9da32b422f0cd0640be35af0fff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B28 11164 bytes
font_02_sfnt_off000080ae.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80AE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.