Malicious PDF — malware analysis report

Static analysis result for SHA-256 8beeb5f55aeaddff…

MALICIOUS

PDF

47.0 KB Created: 2020-07-28 16:56:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1752f6b9c44e8d5faf6a61ce5f11163e SHA-1: 5a24997016741c73d5b3ab666023c0bb0d4a32f9 SHA-256: 8beeb5f55aeaddff835f90002f1deb27dd5d4920a03934b594f46a5fc78c7fef
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=assistant+loco+pilot+exam+paper'. This indicates a phishing or redirection attempt. The document body, though heavily obfuscated, contains text related to 'Assistant loco pilot exam paper', suggesting a lure. The presence of numerous embedded links, many hosted on Shopify, further supports the link farm heuristic, indicating an attempt to distribute malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=assistant+loco+pilot+exam+paper
    • http://files.hillsjanitorial.com/uploads/1/3/0/7/130776215/72b258399.pdf
    • http://files.dinaperezdesigns.com/uploads/1/3/0/9/130969494/foxosizuja-kazakex.pdf
    • http://files.theevillageapothecary.com/uploads/1/3/1/3/131384113/2937175.pdf
    • http://files.harvardsouthshore.org/uploads/1/3/0/8/130874496/67095f0330c.pdf
    • https://cdn.shopify.com/s/files/1/0433/1667/4713/files/93170004938.pdf
    • https://cdn.shopify.com/s/files/1/0429/2666/9987/files/38145630688.pdf
    • https://cdn.shopify.com/s/files/1/0431/9661/2768/files/69858939722.pdf
    • https://cdn.shopify.com/s/files/1/0428/8184/3353/files/72027662017.pdf
    • https://cdn.shopify.com/s/files/1/0434/0698/3333/files/tavanuwokotom.pdf
    • https://cdn.shopify.com/s/files/1/0435/5260/4319/files/5208904098.pdf
    • https://cdn.shopify.com/s/files/1/0437/0412/3557/files/28636312876.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/movikulewerudazuxedo.pdf
    • https://cdn.shopify.com/s/files/1/0427/6633/6166/files/tofukefuxebemubuxi.pdf
    • https://cdn.shopify.com/s/files/1/0429/7401/9740/files/34491121519.pdf
    • https://cdn.shopify.com/s/files/1/0434/5525/0598/files/zuvedobevozozezifukajova.pdf
    • https://cdn.shopify.com/s/files/1/0429/1965/7628/files/7235003676.pdf
    • https://cdn.shopify.com/s/files/1/0428/4448/7836/files/faxegivud.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007978.bin
8706c8ff331ef1bf216fe37a3a83f4829fe20ebd22a733a5a1ea701d25a572a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7978 4924 bytes
font_01_sfnt_off00008a11.bin
e9c393595a2f89d6063ab22d2a234f46b73d772e8501b0d3dfbf5e2eb141a747		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A11 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.