Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e4b01fcded95643…

MALICIOUS

PDF

55.3 KB Created: 2020-08-08 20:00:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 12670941fe9512a1b8f856526541f0e8 SHA-1: 7478f49bd559cabc7e8f8a152da14e27f1be0bce SHA-256: 7e4b01fcded9564355be842ed186da9b292a0b55962d933bd7216354a6fcc7a2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF contains a link farm designed to redirect users to malicious content, specifically a link that appears to be a download for 'Pathfinder bestiary box pdf download'. The primary malicious URL identified is https://ttraff.ru/pify?keyword=pathfinder+bestiary+box+pdf+download, which is flagged as a redirector. The document body, though heavily obfuscated, also contains this URL and numerous other Shopify links, suggesting a tactic to distribute or mask the malicious payload. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=pathfinder+bestiary+box+pdf+download
    • http://files.rhicoh.org/uploads/1/3/1/4/131437276/fiputunejeranamovor.pdf
    • http://files.catholictriparish.org/uploads/1/3/2/7/132710763/watopalaw.pdf
    • http://jokuk.crestlinepto.com/uploads/1/3/1/4/131408899/xesovi.pdf
    • https://cdn.shopify.com/s/files/1/0435/2655/3755/files/72199094631.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gaxasukazojolivuf.pdf
    • https://cdn.shopify.com/s/files/1/0431/0522/2818/files/2293737925.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wonazonuv.pdf
    • https://cdn.shopify.com/s/files/1/0433/4131/6249/files/bepantol_pomada_bula.pdf
    • https://cdn.shopify.com/s/files/1/0433/3685/9813/files/terapi_asidosis_metabolik.pdf
    • https://cdn.shopify.com/s/files/1/0427/8992/9116/files/95142179713.pdf
    • https://cdn.shopify.com/s/files/1/0428/9232/9116/files/63823070442.pdf
    • https://cdn.shopify.com/s/files/1/0432/6676/9051/files/24315856766.pdf
    • https://cdn.shopify.com/s/files/1/0435/0436/9816/files/xazukori.pdf
    • https://cdn.shopify.com/s/files/1/0434/6318/0454/files/algorithms_in_java_parts_1_4_robert_sedgewick.pdf
    • https://cdn.shopify.com/s/files/1/0427/9946/4611/files/38215186827.pdf
    • https://cdn.shopify.com/s/files/1/0431/5725/8395/files/wotuvotenosojewudetijig.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xixuvedivikeror.pdf
    • https://cdn.shopify.com/s/files/1/0431/5545/6164/files/35891441126.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b10.bin
20b7e3526aad16b946f37c97e36597d2cdbdb27285c7f5dddc2241635808a6a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B10 5532 bytes
font_01_sfnt_off00008de8.bin
6d2a3a16cc464ce72cf05976c7f96a31c93af2202e0dc760c37a694345e222ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DE8 1800 bytes
font_02_sfnt_off00009678.bin
43017c2011a8e7e71a2003c945927ad1a696f12f84420f738f780412219e7e4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9678 10124 bytes
font_03_sfnt_off0000b94c.bin
b2563e85233037e3c2780690ed1455257f868516b5a962e54e6ffe29314c9cb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB94C 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.