Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5ac62da789cee46…

MALICIOUS

PDF

36.8 KB Created: 2020-08-22 04:40:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd935fe6449f8101352b03626095edac SHA-1: 0335ac42d995d94ed620199924d110171b2779a0 SHA-256: d5ac62da789cee46b8df21b53c4e15333e1ea7c7f1036f5952e94b4f8c3c3cd2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a critical heuristic for containing links to known malicious redirector infrastructure, specifically 'https://ttraff.cc/pify?keyword=a5+size+booklet+template'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, many pointing to Shopify-hosted PDFs. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be luring users to external, potentially malicious, websites through these embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=a5+size+booklet+template
    • http://files.torydesign.com/uploads/1/3/2/6/132683484/4118292.pdf
    • http://files.upstatecluttercoach.com/uploads/1/3/1/4/131407691/dedilazotanujim.pdf
    • http://files.subwaystash.com/uploads/1/3/1/6/131606492/budupujakodikoja.pdf
    • https://cdn.shopify.com/s/files/1/0438/9447/2856/files/80646670641.pdf
    • https://cdn.shopify.com/s/files/1/0430/0016/8597/files/kravitz_cash_balance_report.pdf
    • https://cdn.shopify.com/s/files/1/0433/3735/1323/files/workplace_design_ergonomics.pdf
    • https://cdn.shopify.com/s/files/1/0432/8669/1998/files/passione_pizza_antonino_esposito_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/4141/4552/files/51051056122.pdf
    • https://cdn.shopify.com/s/files/1/0437/8250/4600/files/ludalosivis.pdf
    • https://cdn.shopify.com/s/files/1/0435/3658/0757/files/murenisixidawojejonov.pdf
    • https://cdn.shopify.com/s/files/1/0440/7453/3014/files/65736792289.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/13170590630.pdf
    • https://cdn.shopify.com/s/files/1/0433/8951/7973/files/88120907448.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048ea.bin
a745f50e6c6df42916fe1a2ed24d3bb00e2310486cdc2a0dac10e415419ad753		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48EA 5236 bytes
font_01_sfnt_off00005aaf.bin
79a9355ef909e12622dcc8531f7d058c737892798fa01fd4b6d00765a2d74042		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AAF 14292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.