Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5be3d96a9e6fa77…

MALICIOUS

PDF

62.4 KB Created: 2020-08-31 12:13:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2147112a4d8798565c19d3621e67e7ab SHA-1: cc50f7759236dd1fcac0cefa994854c7afa091a0 SHA-256: d5be3d96a9e6fa77694e3bc1295c184306159eb9a455994218c34d884b7fdba2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by a critical heuristic for containing a malicious redirector link, specifically 'https://ttraff.ru/wix?keyword=chinese+zodiac+compatibility+horse+and+goat'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, many of which point to benign content on cdn.shopify.com. The ML classifier strongly supports the malicious verdict. The primary attack vector appears to be luring users to malicious sites via the embedded redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chinese+zodiac+compatibility+horse+and+goat
    • https://static.usrfiles.com/ugd/1f5cef_f35de6855ff84edd8b304b87f48fe66c.pdf
    • https://static.usrfiles.com/ugd/c83fdb_aef625ef6d9545fbbf42f79b8db11270.pdf
    • https://static.usrfiles.com/ugd/b8c837_c7151b146081438db569de236f6cf398.pdf
    • https://static.usrfiles.com/ugd/df73ab_81665b942b22474eaf78a07d2f913509.pdf
    • https://cdn.shopify.com/s/files/1/0428/7945/1295/files/breath_of_the_wild_recipe_book.pdf
    • https://cdn.shopify.com/s/files/1/0429/9977/5385/files/66376717942.pdf
    • https://cdn.shopify.com/s/files/1/0448/1597/4561/files/meaning_of_market_economy.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/34707652888.pdf
    • https://cdn.shopify.com/s/files/1/0431/0319/1193/files/4321_earth_below_us.pdf
    • https://cdn.shopify.com/s/files/1/0436/5929/6926/files/sympathetic_and_parasympathetic_nervous_system.pdf
    • https://cdn.shopify.com/s/files/1/0461/8944/5283/files/essential_thrombocytosis_guideline.pdf
    • https://cdn.shopify.com/s/files/1/0432/5641/4363/files/adb_install_apk_error_device_not_found.pdf
    • https://cdn.shopify.com/s/files/1/0436/0758/9027/files/anemia_fanconi_adalah.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000094fc.bin
8ae22b7761b177eea816e8031bfd289653404c11dfee565ea6b5624fe59484e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94FC 5684 bytes
font_01_sfnt_off0000a81f.bin
fb00e85697d1a0b5c0b0c087975d187957b5198d4b001dd3821eb9a02356a829		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA81F 3744 bytes
font_02_sfnt_off0000b449.bin
9ebe6efe89e0c87454ff16378544ea8b41c924ca267412fba2a6b22fcb76502b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB449 9944 bytes
font_03_sfnt_off0000d681.bin
794d8cc090a449e0d460036171b2d5b2c749cb0dc3f17972c44626ada68ee3d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD681 16168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.