Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f4e639c31708417…

MALICIOUS

PDF

52.8 KB Created: 2020-07-24 16:06:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 18ea9020ce32b4ac3c93f793f5b3bc6d SHA-1: a80bfc11f12c1fb7a548ea646d2e1ad4f68f4c54 SHA-256: 8f4e639c317084179ebed3950a590c857fc3b9ae5792ed9c1518477cb12a9137
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a large number of embedded links, identified as a link farm, with a critical heuristic firing for malicious redirector links. The primary malicious URL identified is ttraff.ru, which is used to redirect to other PDF files hosted on various domains, including shopify.com. The document body is heavily obfuscated, but the presence of the 'Anker bolder lc40 manual' string suggests a lure to trick users into clicking the malicious links. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=anker+bolder+lc40+manual
    • http://files.2ndchanceapartment.com/uploads/1/3/0/9/130969293/724b67f93c96.pdf
    • http://files.ghslog62.com/uploads/1/3/1/3/131378942/sozoripumuvogabo.pdf
    • http://files.constantinpreda.co.uk/uploads/1/3/0/7/130775197/farimemebom.pdf
    • http://files.chez-fert-gite.com/uploads/1/3/1/6/131636984/noluniril_bimawu_solozifuz_tavuziloxi.pdf
    • http://files.portagemusiclessons.com/uploads/1/3/2/6/132681322/e711ecbdedad5.pdf
    • http://files.portagemusiclessons.com/uploads
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/faramerujinusopuko.pdf
    • https://cdn.shopify.com/s/files/1/0437/8198/0317/files/78000099441.pdf
    • https://cdn.shopify.com/s/files/1/0431/7747/6253/files/pulaguralixokijudurinigir.pdf
    • https://cdn.shopify.com/s/files/1/0429/8221/1733/files/nuwolevejere.pdf
    • https://cdn.shopify.com/s/files/1/0434/5079/4145/files/39269125521.pdf
    • https://cdn.shopify.com/s/files/1/0430/6249/3345/files/biluzubepesukabuw.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9467339244.pdf
    • https://cdn.shopify.com/s/files/1/0430/3598/4029/files/64674611232.pdf
    • https://cdn.shopify.com/s/files/1/0432/9714/4990/files/movetexumemovadugade.pdf
    • https://cdn.shopify.com/s/files/1/0432/5857/7046/files/dinelunokinulibo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lofexunixepufatomubudabak.pdf
    • https://cdn.shopify.com/s/files/1/0429/8565/2375/files/zaralesepumavolipu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b14.bin
f0d9b8ff4a54e00921782eaf2b4d199d6f04842916f01561050dfc0fcc053239		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B14 5084 bytes
font_01_sfnt_off00008c36.bin
f987d96be7ec159260881b3b48aa1dc1bd65043495c655d365d5e6cc3ed4b33f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C36 10572 bytes
font_02_sfnt_off0000b08a.bin
95f2a8319533f051e584a9e2aa38e8d42f7eb419abe795cf0dce2d6390e2c0a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB08A 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.