Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f288971420a8887…

MALICIOUS

PDF

39.2 KB Created: 2020-09-06 16:18:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ca077b526f64e674b8156af5496fd5be SHA-1: e89b7400ac9f5ad74b26659cdb29ccd93546c6fa SHA-256: 7f288971420a8887e325d3573eb37cbb6ed9d34bee1e223addee706395903c19
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=income+elasticity+of+demand+tutor2u+worksheet'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with the first being 'https://cdn.shopify.com/s/files/1/0432/9275/4080/files/pekogavuwazokudumaworomuf.pdf'. The ML classifier also strongly flagged this PDF as malicious. The document body, though partially corrupted, contains references to the redirector URL and other embedded links, suggesting a lure to external malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=income+elasticity+of+demand+tutor2u+worksheet
    • https://cdn.shopify.com/s/files/1/0432/9275/4080/files/pekogavuwazokudumaworomuf.pdf
    • https://cdn.shopify.com/s/files/1/0431/1020/3556/files/arkansas_monthly_fertilizer_tonnage_report.pdf
    • https://cdn.shopify.com/s/files/1/0433/8201/4119/files/om_namah_shivaya_bob_marley_mp3.pdf
    • https://cdn.shopify.com/s/files/1/0432/0028/2783/files/pdf_to_visio_converter_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/7152/8344/files/82791807896.pdf
    • https://cdn.shopify.com/s/files/1/0437/2656/9633/files/88907227587.pdf
    • https://cdn.shopify.com/s/files/1/0433/7080/7461/files/tokufuzoxupemujipit.pdf
    • https://static.usrfiles.com/ugd/e8dba5_7f81ec5bb8ab43bf824f7fb0b7090fce.pdf
    • https://static.usrfiles.com/ugd/2e16aa_33408baba60f405a9e7c09ed20999a13.pdf
    • https://static.usrfiles.com/ugd/843280_99075e1553be4bd99cef9e34720e8719.pdf
    • https://static.usrfiles.com/ugd/e5412a_94f7d4148ca2400b8001434614e62805.pdf
    • https://static.usrfiles.com/ugd/5438e3_8e092ded169e44f080bbda9b535c51c1.pdf
    • https://static.usrfiles.com/ugd/b58d21_e29aa2d27b8342febcfc78a34e03939b.pdf
    • https://static.usrfiles.com/ugd/74a852_2390e4754e714facbd5a5800db85bcb7.pdf
    • https://static.usrfiles.com/ugd/96564c_9f06fda40fe444c6b927e5d11b9d131b.pdf
    • https://static.usrfiles.com/ugd/99965f_c4721040141e495a8fd506b850ccb4af.pdf
    • https://static.usrfiles.com/ugd/bd5c68_7b4a7b0639c64e71a57780b07ad2802d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b3d.bin
6cb0d67829cd9bab5f4e4f1e13901683f4ffbca449f9572a974283cfb32b4c4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B3D 5472 bytes
font_01_sfnt_off00005daa.bin
94472f7606c807d7cd395f273671c99877db163136820150cc12e02fb5adf597		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DAA 11120 bytes
font_02_sfnt_off0000817d.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x817D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.