Malicious PDF — malware analysis report

Static analysis result for SHA-256 be933df2bdd8f6e6…

MALICIOUS

PDF

47.6 KB Created: 2020-08-31 10:55:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c10efee0d42ca9836c36d796dc96a35a SHA-1: 5e183b96a3c4463d87a740cd008c2e0f4e871cf6 SHA-256: be933df2bdd8f6e642192fe553792228613c77c5268909bd6e5b897a880fc04d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified as a link farm. One of these links, https://ttraff.me/wix?keyword=maud+martha+gwendolyn+brooks+pdf, is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The presence of numerous shopify.com links indicates an attempt at SEO poisoning or distributing a large volume of content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=maud+martha+gwendolyn+brooks+pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/22945880436.pdf
    • https://cdn.shopify.com/s/files/1/0428/5480/9756/files/vexagutasi.pdf
    • https://cdn.shopify.com/s/files/1/0429/6704/0154/files/bomamemediwaduvo.pdf
    • https://cdn.shopify.com/s/files/1/0435/1547/8176/files/nedagomerivuta.pdf
    • https://cdn.shopify.com/s/files/1/0431/5031/1579/files/penosud.pdf
    • https://cdn.shopify.com/s/files/1/0432/5936/3488/files/roreta.pdf
    • https://cdn.shopify.com/s/files/1/0434/3581/9173/files/sufumuzebinarugiwu.pdf
    • https://static.usrfiles.com/ugd/58a813_c05ee642d7894102bb417877326b13de.pdf
    • https://static.usrfiles.com/ugd/96bf9d_36f6376192bd42368535034cb3ea4edc.pdf
    • https://static.usrfiles.com/ugd/2ac701_3362acb4d8a74eefb0db3b58b814cd16.pdf
    • https://cdn.shopify.com/s/files/1/0432/7076/6750/files/77159874828.pdf
    • https://cdn.shopify.com/s/files/1/0430/8919/9268/files/46060695490.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006df7.bin
a90ae9761651356bb428f52165a5d2e6a13bf152e7c8943502675ac55d9d8d5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DF7 5692 bytes
font_01_sfnt_off00008141.bin
26e0fda779e18dc04feeef83d77f75b30c0c4e860f4230a9c5e48e8d27819336		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8141 10240 bytes
font_02_sfnt_off0000a3c6.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3C6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.