Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9f7e6c40de5cbd4…

MALICIOUS

PDF

48.0 KB Created: 2020-09-01 04:07:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e05ea1a7f7ac66820475273117c57a03 SHA-1: 3153972b2b21e5cfefc39f4708d32074d6b46bf4 SHA-256: b9f7e6c40de5cbd4d0a068909f04c80af4b5198aa34dd31f8a025124dc26b423
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.com/wix?keyword=dieta+cetog%25C3%25AAnica+epilepsia+pdf', points to known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. This suggests the document's primary purpose is to lure users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=dieta+cetog%25C3%25AAnica+epilepsia+pdf
    • https://cdn.shopify.com/s/files/1/0465/4311/0302/files/astrophotography_apps_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0438/3929/1554/files/zerikemi.pdf
    • https://cdn.shopify.com/s/files/1/0431/0525/5586/files/97992661763.pdf
    • https://static.usrfiles.com/ugd/49be48_b7eaaf6aff3048669a0411764c698d33.pdf
    • https://static.usrfiles.com/ugd/856cea_7d2276a4470d4369818f50595b6e7f92.pdf
    • https://static.usrfiles.com/ugd/b8c837_3cb3d912147b4bcf965305c13a1a36b4.pdf
    • https://static.usrfiles.com/ugd/b8c837_ddcf71396a3c463a99180d85e72960ff.pdf
    • https://cdn.shopify.com/s/files/1/0431/9281/1669/files/bikolusegibidamewoxonofu.pdf
    • https://cdn.shopify.com/s/files/1/0433/9020/6117/files/guxipafujoxaj.pdf
    • https://cdn.shopify.com/s/files/1/0432/9416/3109/files/gonave_island_travel_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/6353/2951/files/14053988195.pdf
    • https://cdn.shopify.com/s/files/1/0430/8857/6665/files/38426851557.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b34.bin
0e689a2bca088bc8ec605974a0917e0dcbaaa11d022a2f56e484a73051fc3db7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B34 5376 bytes
font_01_sfnt_off00008d5a.bin
d6c5ce1ce76cd97c7e667f8d4c390d2b8782b62508ff7acfd0c232f33e0d9259		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D5A 10724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.