Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae6133bbdfe85d1f…

MALICIOUS

PDF

51.1 KB Created: 2020-08-30 10:46:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a54c7eb8aaae82dd857c96398fa43f54 SHA-1: 49c0a5875f17b2b6c740b236a4b52e69c6b4dd67 SHA-256: ae6133bbdfe85d1f06569f1bc4b64d440248e9a4ee2ec0ef2247a79c97e1d3cf
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to Shopify domains, but one critical link directs to a known malicious redirector. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be a link farm designed to trick users into clicking through to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=jumbled+words+in+english+pdf
    • https://cdn.shopify.com/s/files/1/0437/7369/0017/files/mowaxejepevipupesabi.pdf
    • https://cdn.shopify.com/s/files/1/0429/1241/5907/files/vcop_game_free_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0429/3882/6908/files/modopij.pdf
    • https://cdn.shopify.com/s/files/1/0432/5516/9182/files/calisthenic_program.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/lugapib.pdf
    • https://static.usrfiles.com/ugd/b8c837_9a533beecad245c59d93b09b0b65424e.pdf
    • https://static.usrfiles.com/ugd/576447_feae90e0d66a4ce48b98558305d03452.pdf
    • https://static.usrfiles.com/ugd/0a593f_529f073cbada4ad48370837d6c92c0a9.pdf
    • https://static.usrfiles.com/ugd/b8c837_99ab475b41a142b8b91bf48faf579473.pdf
    • https://static.usrfiles.com/ugd/b8c837_3760a391cc2b4da189a954bec98d68ea.pdf
    • https://static.usrfiles.com/ugd/69b86f_5c0d72d440c24ed381ddb2c67ab9cdc0.pdf
    • https://static.usrfiles.com/ugd/b8c837_465834261f1a4a1bbbc1499ece75266f.pdf
    • https://static.usrfiles.com/ugd/b8c837_f1b405fb8ba84b7eadd8756f7b612aad.pdf
    • https://static.usrfiles.com/ugd/ceb2e8_d340afefe9994334aead376de322f27f.pdf
    • https://static.usrfiles.com/ugd/b8c837_bd761afde9dc46d5aa79391bae547ccc.pdf
    • https://static.usrfiles.com/ugd/b8c837_b65c760b31a648a095036790a0873184.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062f5.bin
96b7bf9e2ec5235aedbe8697e1791bb56d97d95fcb09d73b2546658086fe3a7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62F5 5464 bytes
font_01_sfnt_off00007570.bin
e17ab32626e97c02950cebdb6b51918237c03a1a585600366e4ffccdef1ace92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7570 14756 bytes
font_02_sfnt_off0000a2c0.bin
aaccfb1a04681951d630ec393f67998e254650881c2e685167bb4261d4694ecb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2C0 7808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.