Malicious PDF — malware analysis report

Static analysis result for SHA-256 b24f5cd8cf9eabc7…

MALICIOUS

PDF

61.7 KB Created: 2020-09-08 13:07:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e2497cad19e06abbf531762c48e92cd2 SHA-1: 75930cdc214088b3565291ad263321a3f0f1d725 SHA-256: b24f5cd8cf9eabc7a21d04e536585700538be89ed7b9bd1be56b985fc3ce2fd2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to a malicious URL, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, contains text related to a 'diy predator mask template' and the malicious redirector URL. The PDF also hosts a large number of external links, many pointing to Shopify, suggesting a link farm for SEO manipulation or to host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=diy+predator+mask+template
    • https://cdn.shopify.com/s/files/1/0435/8481/5263/files/deboj.pdf
    • https://cdn.shopify.com/s/files/1/0437/5091/6247/files/penyebab_aterosklerosis.pdf
    • https://cdn.shopify.com/s/files/1/0434/3988/2402/files/bebozefedubijelijinom.pdf
    • https://cdn.shopify.com/s/files/1/0431/6649/8965/files/36405096577.pdf
    • https://static.usrfiles.com/ugd/b8c837_8e1aa1f06bcf4ed6b8c94da83f48776a.pdf
    • https://static.usrfiles.com/ugd/63f22d_15db6a07c0474af2a40ae60dd8deb662.pdf
    • https://static.usrfiles.com/ugd/b444d4_49b85df8633749b6b52d8d850010e576.pdf
    • https://static.usrfiles.com/ugd/b8c837_0ef0b7b5cfa94282a8fa342ea28f6974.pdf
    • https://cdn.shopify.com/s/files/1/0431/9959/4656/files/kujasanikeb.pdf
    • https://cdn.shopify.com/s/files/1/0437/3633/4501/files/blank_dice_template_word.pdf
    • https://cdn.shopify.com/s/files/1/0433/2548/9305/files/adding_and_subtracting_fractions_with_like_denominators_lesson_plans.pdf
    • https://cdn.shopify.com/s/files/1/0432/0234/7168/files/98550070328.pdf
    • https://cdn.shopify.com/s/files/1/0439/0833/3736/files/xiziwedofegaro.pdf
    • https://static.usrfiles.com/ugd/822ecd_cf4313a0b4ad4eb899a5edcc7837b2be.pdf
    • https://static.usrfiles.com/ugd/22bf55_7e6b077d1768488f99aa2991c5f4808c.pdf
    • https://static.usrfiles.com/ugd/bcc0e4_adf0e0eb3b04475eb79caf6a13779afd.pdf
    • https://static.usrfiles.com/ugd/956c05_ecc39ec0fe1f486289392060087d2053.pdf
    • https://static.usrfiles.com/ugd/19103d_fee49cd026b74099b46f1c6482cd5ae3.pdf
    • http://youtu.be/Qw7vG-a6Ab4
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008828.bin
a2b1a95f59fda731df5630926b1cb4c41ad1ed5e68dc1b2c925316ad34464bb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8828 5872 bytes
font_01_sfnt_off00009c20.bin
f72235414168061cf2f827f6c666e73d69020413cdf61b0c170e1e1476e14577		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C20 5268 bytes
font_02_sfnt_off0000ae04.bin
3716e51cdbae40d74558686aa6343c82863f46d2a7cddccd625256813b2e962e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE04 10964 bytes
font_03_sfnt_off0000d3a0.bin
975089639afea594160f6daa1ae948ffc4125994d61a9fd32dce02580f7b6b15		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3A0 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.