Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e06cb2ebd34df5f…

MALICIOUS

PDF

51.5 KB Created: 2020-07-18 01:45:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c55a1418d9008a1d8b4c1cbadbea0e21 SHA-1: 7c5e978ef44b1761548c6fc37ad626e24d559a8c SHA-256: 9e06cb2ebd34df5f8c03f1920817616663996f0a226ea913ee16b12763fa9f07
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to known malicious redirectors or are part of a link farm designed to manipulate search engine results. The primary malicious link identified is 'https://ttraff.com/wb?keyword=center%20pivot%20irrigation%20systems%20pdf', which is a critical finding. The document body is heavily obfuscated, but the presence of the 'wkhtmltopdf' application name suggests it was programmatically generated, likely to host these malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=center%20pivot%20irrigation%20systems%20pdf
    • http://files.northwindswineconsulting.com/uploads/1/3/2/8/132814096/biviv.pdf
    • http://files.htkranch.com/uploads/1/3/1/4/131437158/1435bf5155b090a.pdf
    • http://files.apocmich.com/uploads/1/3/0/7/130776483/riwopelakagefivov.pdf
    • http://files.entirebeing.com/uploads/1/3/1/3/131398219/6033821.pdf
    • https://zesefekir.files.wordpress.com/2020/07/konilef.pdf
    • https://xipuwir.files.wordpress.com/2020/07/fopowukomudoputusutupim.pdf
    • https://xajezeduza.files.wordpress.com/2020/07/69977554913.pdf
    • https://kejivugufe.files.wordpress.com/2020/06/61449346925.pdf
    • https://wepolasonere.files.wordpress.com/2020/06/41704747612.pdf
    • https://kisefavel526658237.files.wordpress.com/2020/06/76233523709.pdf
    • https://xoruwojuki.files.wordpress.com/2020/06/49872847309.pdf
    • https://vikotefo.files.wordpress.com/2020/06/bozegijiwumojojef.pdf
    • https://begilob.files.wordpress.com/2020/07/2049288080.pdf
    • https://tepijefaluv.files.wordpress.com/2020/07/lojifawumemuxuzanutido.pdf
    • https://cdn.shopify.com/s/files/1/0431/3884/2779/files/82535903455.pdf
    • https://cdn.shopify.com/s/files/1/0431/3507/4465/files/96268028493.pdf
    • https://cdn.shopify.com/s/files/1/0431/1659/3312/files/62390200784.pdf
    • https://cdn.shopify.com/s/files/1/0430/3313/3209/files/wujovojov.pdf
    • https://cdn.shopify.com/s/files/1/0430/6649/1031/files/vazakubifubulasuwunopo.pdf
    • https://cdn.shopify.com/s/files/1/0427/8360/4903/files/51220103530.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tivaluzisezulumavolo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007ebd.bin
da56592442bc8da0e41f9e8e6f8ed4654bd60a4536a8094fc710217501ec7e5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EBD 5304 bytes
font_01_sfnt_off000090b9.bin
59c9e287c9fd60d67ffff6d9e65ba3732eab96ed553a4c25100f73458ebab0f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90B9 15084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.