Malicious PDF — malware analysis report

Static analysis result for SHA-256 98ffeb2a1aff5a7d…

MALICIOUS

PDF

37.0 KB Created: 2020-08-23 13:17:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f3517374b983255fe15ebf88e73055aa SHA-1: 32fdbdcfcbc0cc5c96d9cb0f24c5d6ed49152646 SHA-256: 98ffeb2a1aff5a7dec19efef2f04db6dc763be4d37cae60f98fa312de7407020
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the text 'Burrraahh full song' and the malicious URL, suggesting a lure to a potentially harmful download or phishing page. The ML classifier strongly indicated maliciousness, and the presence of a malicious redirector confirms the intent to lead the user to a dangerous destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=burrraahh+full+song
    • http://files.wonderpin.com/uploads/1/3/1/0/131069893/abd9dc.pdf
    • https://cdn.shopify.com/s/files/1/0431/6109/2255/files/12405291339.pdf
    • https://cdn.shopify.com/s/files/1/0463/0750/8381/files/35725437227.pdf
    • https://cdn.shopify.com/s/files/1/0428/9213/2511/files/dashboard_page_design_templates_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/8994/3975/files/wevojipuwevowa.pdf
    • https://cdn.shopify.com/s/files/1/0431/5525/9560/files/58846452199.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mulobovapu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/55742160690.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/19463184481.pdf
    • https://cdn.shopify.com/s/files/1/0433/8040/8474/files/body_language_book_in_punjabi.pdf
    • https://cdn.shopify.com/s/files/1/0435/8068/6495/files/spreadsheet_in_excel.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046dd.bin
7ca955a9ea99a334a9815cc9d36475c7e2ef92c92287b851ca55f08fb0a3cfa1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46DD 5076 bytes
font_01_sfnt_off0000581f.bin
e851769ace7964256509575ca7423806b19a1d09e0387ca40f044741838d2835		 pdf-font-stream PDF embedded font (sfnt) at offset 0x581F 15408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.