Malicious PDF — malware analysis report

Static analysis result for SHA-256 d51af36c25f7e76a…

MALICIOUS

PDF

50.5 KB Created: 2020-08-14 00:28:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1c6acd8a169fee7f0a0485e063bf5e0a SHA-1: f8f05c168e13b5766f4328b77e2a6627b1ff2312 SHA-256: d51af36c25f7e76a9afe63204e9a22a6d779ad0ab15b329043656d00ac96c80f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one critical heuristic identifying a link to a known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=i-+5+oregon+accident+report'. The document body, though heavily obfuscated, contains text fragments that appear to be part of a lure related to accident reports. The presence of a large number of links, many pointing to shopify domains, suggests a link farm or SEO poisoning tactic to distribute malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=i-+5+oregon+accident+report
    • http://files.richardmichellepentelbury.com/uploads/1/3/2/6/132695862/b239ebd0c.pdf
    • http://files.fishforchange.org/uploads/1/3/0/7/130739007/76ff2223.pdf
    • http://files.simonee.com/uploads/1/3/2/3/132302759/tejozodoxelin-wotezet-zetirekof.pdf
    • http://files.matthewhavertz.com/uploads/1/3/1/0/131070849/dikobovot-jisuxipen-zusaku.pdf
    • http://luvurefik.isaiah556lawncare.com/uploads/1/3/0/8/130813528/7817591.pdf
    • https://cdn.shopify.com/s/files/1/0440/1430/5430/files/17767839857.pdf
    • https://cdn.shopify.com/s/files/1/0428/1116/2790/files/lalupuxi.pdf
    • https://cdn.shopify.com/s/files/1/0434/1334/0312/files/xuroruwukise.pdf
    • https://cdn.shopify.com/s/files/1/0430/4610/9345/files/defurenovotesibulinezu.pdf
    • https://cdn.shopify.com/s/files/1/0432/9072/2469/files/88285442947.pdf
    • https://cdn.shopify.com/s/files/1/0437/6923/3565/files/83488949894.pdf
    • https://cdn.shopify.com/s/files/1/0433/3800/6686/files/rubuxokufod.pdf
    • https://cdn.shopify.com/s/files/1/0438/2290/7554/files/36466212911.pdf
    • https://cdn.shopify.com/s/files/1/0430/6737/5770/files/nilulamonojozifi.pdf
    • https://cdn.shopify.com/s/files/1/0433/6074/7688/files/nefabezusab.pdf
    • https://cdn.shopify.com/s/files/1/0453/2695/8747/files/watirirolaso.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mesibilefonupas.pdf
    • https://cdn.shopify.com/s/files/1/0436/8000/6294/files/catalogo_avon_campaa_4_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000a094.bin
a5084e19a0e67c794126bf952db36a1378f8133df251a333f0435682efc1bd06		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA094 17972 bytes
font_00_sfnt_off00006bd1.bin
6ea802341b27d211166788c572dc588374c962ecb2b0842649e0af9118653773		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BD1 5124 bytes
font_01_sfnt_off00007d4d.bin
83656aa2c4ca72faedb7f10b57c0bc655bfb0bef861a43b0b3525a6fd7705b46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D4D 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.