Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5ce5a9e0d42bb74…

MALICIOUS

PDF

77.9 KB Created: 2020-08-02 02:12:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 361333b4fcd3d2e474d3fe45b6dbd94c SHA-1: 35f4f18ac2d125b927dad12d924cb861c5f50a28 SHA-256: b5ce5a9e0d42bb740d4c2a133e0b08e70e5580caf79b22e5a8b235c29231e825
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, containing numerous external links. One prominent link, 'https://ttraff.cc/pify?keyword=d%2526+d+5e+vengeance+paladin', points to known malicious redirector infrastructure. The ML classifier strongly indicated maliciousness, supporting the conclusion that this PDF is designed to lure users to harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=d%2526+d+5e+vengeance+paladin
    • http://files.xylemstem.com/uploads/1/3/1/8/131858287/jovisisodumoderopom.pdf
    • http://files.realjoana.com/uploads/1/3/1/3/131380005/wasifesupula-mogazaxixeweru.pdf
    • http://files.waynecountysporting.com/uploads/1/3/0/8/130873893/9818260.pdf
    • http://files.derek-marsdon.com/uploads/1/3/0/8/130814121/6971952.pdf
    • https://cdn.shopify.com/s/files/1/0428/9105/1161/files/25123758157.pdf
    • https://cdn.shopify.com/s/files/1/0431/9651/4461/files/26141746694.pdf
    • https://cdn.shopify.com/s/files/1/0432/6634/3072/files/chilton_labor_guide.pdf
    • https://cdn.shopify.com/s/files/1/0428/6955/5356/files/academic_advisor_cover_letter.pdf
    • https://cdn.shopify.com/s/files/1/0428/8649/6415/files/dizixejokevaniburaxas.pdf
    • https://cdn.shopify.com/s/files/1/0430/1311/1961/files/61945035527.pdf
    • https://cdn.shopify.com/s/files/1/0433/4629/6985/files/66772602070.pdf
    • https://cdn.shopify.com/s/files/1/0428/1915/8183/files/wunatosurorudewi.pdf
    • https://cdn.shopify.com/s/files/1/0435/6059/9711/files/kowenikesijuguvakejij.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0428/8649/6

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0001181c.bin
9003564e08fb0501c5ae5fab280914cb9c153dd57bc8dd8498dd8ccc688b3b24		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1181C 6504 bytes
font_00_sfnt_off00007e05.bin
238444a621cb99c89123a5ec98137520be8997eb3e121e9a17fd30f5a27a464c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E05 7516 bytes
font_01_sfnt_off0000918b.bin
16b61b9ab498405f2df6f399d97181d54282c74902742798f643c2729e11ff71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x918B 3148 bytes
font_02_sfnt_off00009ccb.bin
bae8c65fbb2985f8f9e3f3f2bcf16a0f9e8e1e4a7d5ebf1135d71e3fbc9ddb2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CCB 4156 bytes
font_03_sfnt_off0000aab9.bin
832730448fb31df25e7ccf71f60b3cc9b79d63dbe6e6efee4664fe698bc83bb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAAB9 6280 bytes
font_04_sfnt_off0000ba23.bin
d973afab3770f103f73a78a8a40e6a1259085d1569ae52dd6af89ef609715ed3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA23 27748 bytes
font_05_sfnt_off0001013c.bin
858bf2175291dc6f9ba6a046b61122cb32c98a6103b0fe039a49911bb9ad6baf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1013C 16572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.