Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f33d92e6ce1a1d2…

MALICIOUS

PDF

53.9 KB Created: 2020-08-30 03:54:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2bd2758581e9c25bd6a651a2363d2bb7 SHA-1: 69b66a10872431ecc092074ee40ac2fb97d21197 SHA-256: 7f33d92e6ce1a1d21d17adb1b27dbd30775cadce20e5f80fdde3a54f3abdf47c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded links, many of which point to Shopify-hosted PDFs, forming a link farm. One of the primary links, however, redirects to the malicious URL `https://ttraff.me/wix?keyword=ejercicios+modulo+de+young`. This suggests a phishing or scam attempt where the document acts as a lure to a malicious site. No scripts were extracted, but the presence of numerous links and the malicious redirector indicates a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=ejercicios+modulo+de+young
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/9177/9999/files/40526964646.pdf
    • https://cdn.shopify.com/s/files/1/0434/9175/4149/files/70638746895.pdf
    • https://cdn.shopify.com/s/files/1/0434/5639/7474/files/lomuxodibotomuxutome.pdf
    • https://cdn.shopify.com/s/files/1/0437/3164/8663/files/new_york_address.pdf
    • https://cdn.shopify.com/s/files/1/0436/9216/3227/files/61817207318.pdf
    • https://static.usrfiles.com/ugd/0d002d_934f3ec40aa14dcb8d9b221fde79aed8.pdf
    • https://static.usrfiles.com/ugd/b8c837_7d76c244ae7947faaaadb2c0fb6b1ba1.pdf
    • https://cdn.shopify.com/s/files/1/0460/6980/9316/files/casio_calculator_fx-_9750gii.pdf
    • https://cdn.shopify.com/s/files/1/0437/5809/2439/files/bikebepu.pdf
    • https://static.usrfiles.com/ugd/b8c837_b8c4c6b8ac9e40a89c928cd2f02856af.pdf
    • https://static.usrfiles.com/ugd/98e298_fe40273d8edb42dd902ca9267cfa71ff.pdf
    • https://static.usrfiles.com/ugd/01e791_d31207d6130942f3b8155c0c3470f612.pdf
    • https://static.usrfiles.com/ugd/5bb01c_5c77e0d2571240168571a2670b7996bf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f52.bin
73e5d597152ee063e16a7a96974b5cff556749898f5068eaa91daee9694feca1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F52 5184 bytes
font_01_sfnt_off000080e7.bin
9f37cd2c493258249d97159350ff95fe3da0d4ebea6b611377d75c4ccf98febb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80E7 3100 bytes
font_02_sfnt_off00008d1e.bin
cf4e4b2c7209101c861dd0ee64e5acb55c0ed9e0e9ad3a5ae28dc8333908137e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D1E 11428 bytes
font_03_sfnt_off0000b291.bin
c6cbb77ccd69c67a7d8c16c953cb7b4b8a63c7e15d2c4a6f353d8533bc8da5f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB291 16464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.