Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7cb7e3528d29fec…

MALICIOUS

PDF

42.4 KB Created: 2020-09-18 20:06:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 07afc054f0099ea6cf0ff759c3431a4e SHA-1: d7d7e840e74faa9322f8246b4c38790adc516cd7 SHA-256: b7cb7e3528d29fecbb21d6eea1e7c57ee19157f798c385ca4506ee0a8c67a994
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.link, which is designed to lure users to malicious content. The document body, though heavily obfuscated, also contains this URL and numerous other links to PDF files hosted on Shopify, suggesting a link farm or SEO poisoning attempt. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=one+direction+forever+young+live
    • https://cdn.shopify.com/s/files/1/0435/8910/7869/files/18138995632.pdf
    • https://cdn.shopify.com/s/files/1/0431/4189/0210/files/navitolejasonefajebax.pdf
    • https://cdn.shopify.com/s/files/1/0431/0453/4692/files/69540691858.pdf
    • https://cdn.shopify.com/s/files/1/0434/6983/2354/files/dupoxefanizotebitu.pdf
    • https://cdn.shopify.com/s/files/1/0429/5704/5913/files/kawasupinuwepemavuxuwogod.pdf
    • https://cdn.shopify.com/s/files/1/0465/3521/3206/files/47061995486.pdf
    • https://e2b0a231-be81-477d-81b9-ff822d75019d.filesusr.com/ugd/062c90_cb57e88535be44f4978cd6b8f23ff83a.pdf?index=true
    • https://353e034b-413c-43e2-a202-cae958d67769.filesusr.com/ugd/3db607_9b063dd16c4f471997119e2281e2c7f9.pdf?index=true
    • https://d53b7456-9d68-45a8-b2bb-06f1740c5f13.filesusr.com/ugd/fedf23_4b07b749cb3c48f894ad1fe820be25b7.pdf?index=true
    • https://29108c4b-53dc-4b2e-a762-0740dc159d29.filesusr.com/ugd/8b4172_a49222974a8f43998fd149152044751f.pdf?index=true
    • https://a942bf8b-8302-4e8a-9d7e-7db9683bba28.filesusr.com/ugd/cece23_c842390f175b49879cf5ef5a6eca47b1.pdf?index=true
    • https://0001bedf-dc32-44ba-b61d-75cf43cf82e0.filesusr.com/ugd/ca847e_e2eca7d5a69744e29e15d7754fb52ff0.pdf?index=true
    • https://18a95b4e-41d1-4850-9381-bb22fdee99c4.filesusr.com/ugd/0aab01_24240d3cc0c54ad59f93a585621004eb.pdf?index=true
    • https://f92e535f-0368-4399-94bf-4a0e17a8068c.filesusr.com/ugd/f4de5e_216d5ff600894453b746ce9e6627d51f.pdf?index=true
    • https://f7c41397-cc3c-44e3-9bcc-9843cebf5b2e.filesusr.com/ugd/271e65_b634b257242b4cb5b2b821da4e295fc9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006874.bin
2d2208ae4c1c683a260a8ed8324d5ea91097bc99a81d02be3e33919f0043e944		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6874 4992 bytes
font_01_sfnt_off00007991.bin
d872b00f70941d17ee3c52a77173623b87088b8fea7eec199475fd79bdb9ef01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7991 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.