Malicious PDF — malware analysis report

Static analysis result for SHA-256 cae05c7394b42513…

MALICIOUS

PDF

66.5 KB Created: 2020-08-30 17:40:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 283bc3d0e3f62919e2e2cd2bd634b423 SHA-1: 2e083897c3fa790b1955f444b22d2c0797437270 SHA-256: cae05c7394b42513938cf29ee9f8b92c111ef710eb09b676a494d6c819f02fbd
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier as malicious and contains a critical heuristic indicating it links to known malicious redirector infrastructure. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many pointing to Shopify and static.usrfiles.com domains. The document body contains garbled text but includes a URL that appears to be part of a SEO spam campaign. The primary attack pattern involves redirecting users to potentially harmful content or manipulating search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=c%25C3%25B4ng+ty+tnhh+ph%25C3%25A1t+%25C4%2591%25E1%25BA%25A1t+s%25C3%25A0i+g%25C3%25B2n+l%25E1%25BB%25ABa+%25C4%2591%25E1%25BA%25A3
    • https://cdn.shopify.com/s/files/1/0431/7144/6939/files/judetuj.pdf
    • https://cdn.shopify.com/s/files/1/0431/0941/7127/files/53648222015.pdf
    • https://cdn.shopify.com/s/files/1/0434/3077/2901/files/wibejadudag.pdf
    • https://cdn.shopify.com/s/files/1/0429/5367/0822/files/49146195099.pdf
    • https://static.usrfiles.com/ugd/b8c837_b15a3ae8ae444835aaddf3d67db363c0.pdf
    • https://static.usrfiles.com/ugd/2f8cea_3262db0799a64dce80c3012a53f59a97.pdf
    • https://static.usrfiles.com/ugd/c0b427_e369716befe1490db6ec221d31c4e443.pdf
    • https://static.usrfiles.com/ugd/b8c837_6848c29195e14451a249500917ed0051.pdf
    • https://static.usrfiles.com/ugd/dd4472_483d4b02c8944887ae265a4ae9ede730.pdf
    • https://static.usrfiles.com/ugd/b8c837_78becd815b094071a59ceb8afbc0b874.pdf
    • https://static.usrfiles.com/ugd/7198c1_9b75c3d7d5414421be94e678c9209766.pdf
    • https://static.usrfiles.com/ugd/b8c837_5d850ccd029d4e1cb951f54a314fe7d0.pdf
    • https://static.usrfiles.com/ugd/89363e_dca1d45b43044f1faffc6116feef04ae.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068f5.bin
3d4760ca295192c89086870ebbac49c5a5945404ea6ab57fca452cf2db5f569a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68F5 6440 bytes
font_01_sfnt_off000078e9.bin
f2c26ab4c1eb3260d7643b05d2bd2fcacfb9558ccdb597c2a61dddde21c99166		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78E9 6220 bytes
font_02_sfnt_off00008b49.bin
0d5e7267088c0f5eb0c924bd3782ae9a395438c7299a87fcaf0cd02c302a5a18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B49 2428 bytes
font_03_sfnt_off0000960c.bin
b448a64f9b49d13adab359962cfa32b33ea73b30c3180deb5b0bdf5477984853		 pdf-font-stream PDF embedded font (sfnt) at offset 0x960C 26952 bytes
font_04_sfnt_off0000d30e.bin
1f9b10a81d57d9a60771c187e8910414bfb10718745f481dfabafcf9d573b57b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD30E 17220 bytes
font_05_sfnt_off0000eb80.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB80 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.