Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7f84b261fcd997d…

MALICIOUS

PDF

50.0 KB Created: 2020-09-09 10:00:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1c6d9ecddde0753d3a835c99214fc6c3 SHA-1: acd18f35b1b197d6df91d09644850692c6cbdc57 SHA-256: b7f84b261fcd997db475529e0b3f8bcef4079d8fdbe729f2fd04bba5f29bf40c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body and embedded links suggest a lure related to 'Oxford discover 1 cd free', likely intended to trick users into clicking the malicious link. The PDF also contains a large number of external links, characteristic of a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=oxford+discover+1+cd+free
    • https://static.usrfiles.com/ugd/d216cb_5b680ec6938b49b59e8843716a90d216.pdf
    • https://static.usrfiles.com/ugd/66f3f9_132abb9550fc4cd6858d6d6bb2b9cfc5.pdf
    • https://static.usrfiles.com/ugd/9d24cb_3eb42612342b42c9a0f4a37e93152b8b.pdf
    • https://static.usrfiles.com/ugd/02ccf7_058e78fadb9a48ccadcec3f05d8823b6.pdf
    • https://static.usrfiles.com/ugd/a32c20_5f2ef1d5a26e40ffa696cd703174097d.pdf
    • https://cdn.shopify.com/s/files/1/0430/3123/2666/files/80940955139.pdf
    • https://cdn.shopify.com/s/files/1/0435/3641/6936/files/lirabejalutefofewo.pdf
    • https://cdn.shopify.com/s/files/1/0429/0255/2742/files/bartender_software_new_version_free.pdf
    • https://cdn.shopify.com/s/files/1/0430/7920/5013/files/14013860803.pdf
    • https://static.usrfiles.com/ugd/26938b_80b61d78bbdd4cfeac6796ccdc5f6c06.pdf
    • https://static.usrfiles.com/ugd/0b46e6_a15828a08b5c4b83a4b4866589543ce6.pdf
    • https://static.usrfiles.com/ugd/a31856_779b7a4ca19d45038ede9daa57978ce2.pdf
    • https://static.usrfiles.com/ugd/b910ae_8f27a6c36964432788dab8978117fbb1.pdf
    • https://static.usrfiles.com/ugd/64f9d2_a9150ac639844d028bee198069e58a6c.pdf
    • https://static.usrfiles.com/ugd/93971e_b53146275c204ec3a251513fa42e536d.pdf
    • https://static.usrfiles.com/ugd/b8c837_97127c41518d436d95f93a6150ba9786.pdf
    • https://static.usrfiles.com/ugd/1813b3_2982248135944239a5ea305e2efb1b1d.pdf
    • https://static.usrfiles.com/ugd/0a0016_0cc1334ff8a944a99c18520fb6da31df.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f41.bin
5618280a2e79742c19afd6932b75846967d69a50ca2bc38db4f18fe195a60d07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F41 4980 bytes
font_01_sfnt_off0000704d.bin
0460e4b819836684ee646564f23d3767bfcf5407a742f126e14b557faf704447		 pdf-font-stream PDF embedded font (sfnt) at offset 0x704D 5852 bytes
font_02_sfnt_off00007f04.bin
ea8494bedd2aab6e1105b010bcc3a100d749870bb010b7c03c26fe23a3c82337		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F04 11104 bytes
font_03_sfnt_off0000a45f.bin
13adf508137d8c465935a7a142060f5d940462760dc3fd3f5061e956d2f2222b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA45F 16028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.