Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1b6e0b6b2d309b5…

MALICIOUS

PDF

41.3 KB Created: 2020-09-18 14:11:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d36c84a16250db3ff3b5ae21a9570288 SHA-1: 1f9750de3552245f5c59d77d6bb6f91607b6e84a SHA-256: b1b6e0b6b2d309b53d5963a57fe7d78df2325ca8d339320aeef9731b75f02551
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.link/wix?keyword=cite+lab+manual'. Additionally, it exhibits a PDF link farm heuristic, with numerous external links, including one to a Shopify domain. The document body, though heavily obfuscated, contains the same URL as the malicious redirector. This suggests a phishing or malware distribution attempt, likely using the 'cite lab manual' lure to entice clicks.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=cite+lab+manual
    • https://cdn.shopify.com/s/files/1/0440/8918/0310/files/interior_design_catalogue_template_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/4590/3774/files/xunevure.pdf
    • https://cdn.shopify.com/s/files/1/0434/0531/2156/files/collins_scrabble_dictionary_2020.pdf
    • https://cdn.shopify.com/s/files/1/0429/6382/8895/files/gapapubetoluponifuvujake.pdf
    • https://2933824c-536c-40f6-9735-8c7e1ef14f6a.filesusr.com/ugd/f4de5e_94b5299e018d4330b2aab598dd221c92.pdf?index=true
    • https://4b9ccea8-d2f4-444a-8dea-a25e97608c5d.filesusr.com/ugd/bb05c1_ffa22b07db964c6aa15affd0b64db365.pdf?index=true
    • https://361a6477-5681-4908-9eb0-91a8b6c33487.filesusr.com/ugd/7a359d_8e04dc97c5154098ab6ae5e497ca6965.pdf?index=true
    • https://7daa857f-6f9d-4584-9183-f18d9f2dfbc3.filesusr.com/ugd/717a42_08a71c56c8cd42dc9190cd84c9f9ee28.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0431/0378/1015/files/discounted_cash_flow_template_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/6251/0236/files/w4_deductions_and_adjustments_worksheet_line_4.pdf
    • https://cdn.shopify.com/s/files/1/0432/7361/7568/files/ps_vita_games_download.pdf
    • https://02e1bf9c-c6e0-40ee-9565-59868dd75f52.filesusr.com/ugd/46a5ae_0d9409155a564cafa1adb181cce458f8.pdf?index=true
    • https://083d6849-5c6f-42d1-b607-fc689e1d8344.filesusr.com/ugd/c836c3_5c71dae374414db8b75b419f2eb91d48.pdf?index=true
    • https://c8531830-18d8-4b46-b146-ad65251fea98.filesusr.com/ugd/f91cf1_d61b9f9f623f44e6b43e770b58f1225c.pdf?index=true
    • https://bb919e28-b209-486d-9d2c-4b59717572b7.filesusr.com/ugd/3ddeef_370b99e3d6ec4cdcb65eeceb0847a1cb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065c7.bin
2411cd890ec9af814da662bb21ac5ef95ff2ecb1f612e6b7c849480bef48f5d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C7 4600 bytes
font_01_sfnt_off00007554.bin
0bdbda227f53be3c91e09e1f1dbc5ee1d55098512d44234b4ba31adbc90b15e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7554 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.