Malicious PDF — malware analysis report

Static analysis result for SHA-256 d154c5cec825ca94…

MALICIOUS

PDF

85.7 KB Created: 2020-09-17 04:42:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f53f72f813705207e4f17c6050a913ae SHA-1: 37c0abb5ce98514c26758b6e175a6a5872a7cc1f SHA-256: d154c5cec825ca940cff56c68fdd6527dfc51c2bbebdffdc4894c47eefa9dba6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wb?keyword=bose%20t1%20tonematch%20manuale%20italiano'. This URL is likely part of a phishing or scam campaign, attempting to lure users into clicking by presenting itself as a manual. The document also contains a large number of embedded links to Shopify, many of which are likely part of a link farm to improve SEO for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=bose%20t1%20tonematch%20manuale%20italiano
    • https://cdn.shopify.com/s/files/1/0430/2965/9797/files/20111445381.pdf
    • https://cdn.shopify.com/s/files/1/0454/7356/2790/files/vogiwurufojijenawojezi.pdf
    • https://cdn.shopify.com/s/files/1/0444/3412/9062/files/c_language_aptitude_questions_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/7852/4831/files/17925249066.pdf
    • https://cdn.shopify.com/s/files/1/0434/7176/5656/files/crafting_guide_ffxiv.pdf
    • https://cdn.shopify.com/s/files/1/0431/6119/0554/files/boland_college_courses.pdf
    • https://cdn.shopify.com/s/files/1/0432/8305/4757/files/zulonijujatuwusaraxuzi.pdf
    • https://cdn.shopify.com/s/files/1/0438/6629/2389/files/faporifogatanopebekevug.pdf
    • https://cdn.shopify.com/s/files/1/0429/0691/0887/files/latest_c._v_format_2019.pdf
    • https://cdn.shopify.com/s/files/1/0459/6246/1344/files/28296688805.pdf
    • https://cdn.shopify.com/s/files/1/0431/7259/3832/files/fawosenezep.pdf
    • https://20d56328-1484-4c66-a646-8bb65f291916.filesusr.com/ugd/60ffa2_212ce107b59748dc8d147caae452ffbc.pdf?index=true
    • https://6b65cfab-13e0-492e-868b-64f2f7e68227.filesusr.com/ugd/11b39a_87d2c439f24e4fea85b021c2e19e8fd9.pdf?index=true
    • https://c2d93b2a-ec35-4a5e-b2aa-01d616a3cd65.filesusr.com/ugd/7198c1_14355957536a4da79322a5aa6137aa89.pdf?index=true
    • https://c4adda34-b8d8-4083-85b3-228504de0c3d.filesusr.com/ugd/85d67f_01149042f3c04ab4b27527317bf70622.pdf?index=true
    • https://4adf1e0b-90fa-469f-b8e9-1f698b47b25f.filesusr.com/ugd/9c8fb9_cb877cc0accb4c30bb1904532f4083a0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011342.bin
1638ead0031c6182921eaa88bc68289db4ef2e9b85ccf18f96627db34efec67a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11342 5044 bytes
font_01_sfnt_off00012448.bin
9a343ddb3baf6f6632991fed7bed749ef3a4467e8b82233bb43ea1ccd7894ed2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12448 10940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.