Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7348fbfa82c583a…

MALICIOUS

PDF

44.7 KB Created: 2020-08-31 14:33:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 13c02cf6e5e367c680c7ac17f9afc63a SHA-1: 18ea541de67353148550a36e991deede43af56a1 SHA-256: c7348fbfa82c583a99d255cac888742ee4490cb3e12720215b8ad90a4685c7d5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to known malicious infrastructure. The PDF also contains a link farm, suggesting an attempt to game search engines or distribute links. The primary malicious URL identified is https://ttraff.cc/wix?keyword=internet+service+provider+website+templates+free, which is likely used to redirect users to a malicious site. The document body, though heavily obfuscated, contains references to 'internet service provider website templates free', aligning with the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=internet+service+provider+website+templates+free
    • https://cdn.shopify.com/s/files/1/0430/2965/9805/files/40723233675.pdf
    • https://cdn.shopify.com/s/files/1/0428/7361/8599/files/zoxubixosugisivugavutom.pdf
    • https://cdn.shopify.com/s/files/1/0437/5917/3790/files/two_suit_spider_solitaire_247.pdf
    • https://cdn.shopify.com/s/files/1/0437/9885/5840/files/aprendendo_a_aprender_barbara_oakley_livro.pdf
    • https://cdn.shopify.com/s/files/1/0428/5746/3971/files/26400679143.pdf
    • https://cdn.shopify.com/s/files/1/0432/0903/1840/files/dragonball_z_psp_download.pdf
    • https://cdn.shopify.com/s/files/1/0439/4500/1115/files/soundcloud_converter_to_mp3.pdf
    • https://cdn.shopify.com/s/files/1/0431/9143/5422/files/14498701863.pdf
    • https://cdn.shopify.com/s/files/1/0428/5900/4070/files/max_lucado_anxious_for_nothing.pdf
    • https://cdn.shopify.com/s/files/1/0459/2258/2679/files/vemazizal.pdf
    • https://cdn.shopify.com/s/files/1/0438/9027/8568/files/exercice_leur_leurs_cm1.pdf
    • https://cdn.shopify.com/s/files/1/0431/5850/3584/files/93260609600.pdf
    • https://static.usrfiles.com/ugd/0ebc1f_d127470d2db94ebfb12ccf1fafc2db12.pdf
    • https://static.usrfiles.com/ugd/7f16bd_d0dc943d5f164a869580987d8c8e4d5a.pdf
    • https://static.usrfiles.com/ugd/0a052f_c8a154e1611b4cd7a4bcb3faf1d2951b.pdf
    • https://static.usrfiles.com/ugd/e2f7e1_1383a77c62664df49e6f182fd19c621f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006615.bin
6f390c0a62aa03c01d49204a721b8a910f066cc20a845ac48483f0fa53bb8963		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6615 5532 bytes
font_01_sfnt_off000078d7.bin
7f38c7bd3076d5ec567b373f8788658f617417f44aeaffad1c2d563936ecbb0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78D7 2268 bytes
font_02_sfnt_off000082e7.bin
61cd6fc0e1720435b73119dbc784fd7274dce9404f92d0f9627267107e087ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82E7 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.