Malicious PDF — malware analysis report

Static analysis result for SHA-256 d771f095880053ac…

MALICIOUS

PDF

81.3 KB Created: 2020-09-17 17:00:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ceb9311fe2a6f8b8574b3c2b1299d8ee SHA-1: 75f34dea9741e21674af591407b530772b06a084 SHA-256: d771f095880053acc6bffe7fa3ed2fb24b06b5d90e2e82b01e7e2d245692300c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which points to a URL designed to lure users with a search query for a product manual. This link is embedded within the document body, suggesting a social engineering tactic to drive traffic to malicious infrastructure. The presence of numerous other links, many hosted on Shopify, indicates a potential link farm or SEO poisoning attempt to improve search engine visibility for the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=at%2526t+digital+answering+system+4h20+manual
    • https://cdn.shopify.com/s/files/1/0431/4585/5137/files/mixapipi.pdf
    • https://cdn.shopify.com/s/files/1/0434/1714/1415/files/javascript_game_codes.pdf
    • https://cdn.shopify.com/s/files/1/0431/4798/5053/files/counselling_techniques_for_depression.pdf
    • https://cdn.shopify.com/s/files/1/0433/0491/1006/files/11236700624.pdf
    • https://cdn.shopify.com/s/files/1/0430/4555/2277/files/68958766178.pdf
    • https://cdn.shopify.com/s/files/1/0434/3631/0693/files/95198308848.pdf
    • https://cdn.shopify.com/s/files/1/0427/5293/4044/files/numixavolafugisemo.pdf
    • https://1afd2ac2-666e-433d-9f20-876ffcfdd639.filesusr.com/ugd/03dcd4_cb0c6635d0ee430394ddeb8efec28697.pdf?index=true
    • https://6d367675-94b5-4aab-afd3-eb9329f5d292.filesusr.com/ugd/9b5f63_3fef8a2e58fc48be92ddc5a316688046.pdf?index=true
    • https://16c80faf-01c2-42e3-bd91-574f15a7aab3.filesusr.com/ugd/735424_ff013e1ecd79416b811c3c16871865ce.pdf?index=true
    • https://ce7093c6-739f-465a-8b2e-c2574c86ebe3.filesusr.com/ugd/d902bb_cf68b61fcedc4a5187602562edbfa5a7.pdf?index=true
    • https://ca8d2587-8687-4030-a8ba-319bc8c8b476.filesusr.com/ugd/9f06f8_de599f1a8e684a63b6e20706c500a785.pdf?index=true
    • https://bc2dfa02-4b1f-4b04-b0f7-399946790465.filesusr.com/ugd/3be48b_be92642e03ab4afda077dc36702e16b2.pdf?index=true
    • https://2c248805-1051-4c9d-81e4-f2e1c0f5e055.filesusr.com/ugd/9cfd0a_23a9aa5d0b294817b6b2f5f912a94dea.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bbd0.bin
5cfd6b7c9494a2f54badf5fd2b4679a0363ded19b9845b8964aa8c5ff52a9511		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBD0 6164 bytes
font_01_sfnt_off0000d16e.bin
106870a10dbfccf3057d0c7ee14d46762c3b5439f45f79260474e3082fef8399		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD16E 4144 bytes
font_02_sfnt_off0000df90.bin
924dd25e42f4905f799fd3add51cb5af51799d00284b541785e55d0b5b313bf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF90 18284 bytes
font_03_sfnt_off000117aa.bin
4c8bd7855872e31a708c03d3df4915dff9d064e1f682610f5029f2bbaec3dc1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117AA 19204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.