Malicious PDF — malware analysis report

Static analysis result for SHA-256 98434134e746f29c…

MALICIOUS

PDF

57.3 KB Created: 2020-08-01 18:58:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a250156e8621cde16a2a3530e8345f05 SHA-1: e6dc8885914175dbf265893cb6b24d82468b2300 SHA-256: 98434134e746f29c42e3325c888e62515fccf0ab7d0917b05a57dcb1e39b5925
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. One of the primary links, https://ttraff.cc/pify?keyword=derivative+of+b%255E+x, is identified as a malicious redirector. The document body, though heavily obfuscated, contains this malicious URL, suggesting the intent is to redirect the user to malicious infrastructure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=derivative+of+b%255E+x
    • http://files.joshcosman.com/uploads/1/3/0/7/130776131/2997539.pdf
    • http://files.rebeccagrayyoga.com/uploads/1/3/1/4/131453560/fevubaraxemo.pdf
    • http://files.goldenpawsdogs.com/uploads/1/3/0/7/130739892/7331533.pdf
    • https://cdn.shopify.com/s/files/1/0431/0981/0343/files/71356910226.pdf
    • https://cdn.shopify.com/s/files/1/0431/6617/1287/files/54522160408.pdf
    • https://cdn.shopify.com/s/files/1/0429/3384/6183/files/5897511407.pdf
    • https://cdn.shopify.com/s/files/1/0431/0332/2269/files/jufuwenigeba.pdf
    • https://cdn.shopify.com/s/files/1/0430/0334/7098/files/wosaxon.pdf
    • https://cdn.shopify.com/s/files/1/0428/5834/8703/files/kewifi.pdf
    • https://cdn.shopify.com/s/files/1/0439/1701/7256/files/pepusevin.pdf
    • https://cdn.shopify.com/s/files/1/0432/2403/9592/files/paruwigub.pdf
    • https://cdn.shopify.com/s/files/1/0432/6604/8165/files/jirarizul.pdf
    • https://cdn.shopify.com/s/files/1/0429/6966/1589/files/56858918996.pdf
    • https://cdn.shopify.com/s/files/1/0431/5847/0807/files/92236474248.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d04.bin
fc0a73564dac346b9e8cc3c8574fa991ea4755b037d45fa48aac5d4596b7ca75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D04 4868 bytes
font_01_sfnt_off00008dbb.bin
88803fed5d5a3f95e6bcc82701dfcf95f556b027627b09347e5fd246ac2a6b42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DBB 16900 bytes
font_02_sfnt_off0000c2db.bin
b6c40f4cec7a5682d82dd58ef049cfa3a22373d2b55b8cc9530bacbb63b2db5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC2DB 16244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.