Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2637adde668ca68…

MALICIOUS

PDF

34.6 KB Created: 2020-08-29 12:42:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef8e573944f6bea9977c24fe4eb1e44b SHA-1: 9e72c753a602d29f1ab333addd70cbfc43aa515a SHA-256: e2637adde668ca68a00e908f05fdd666e7fb1f8b3d5de8f042ba6c2070e026f0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Link

The PDF file was flagged by a machine learning classifier as malicious and contains a high number of embedded links. One of these links, 'https://ttraff.ru/wix?keyword=ser+y+estar+worksheets', points to a known malicious redirector. The majority of other links point to PDF files hosted on Shopify, suggesting a link farm or SEO manipulation tactic. The document body itself is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=ser+y+estar+worksheets
    • https://cdn.shopify.com/s/files/1/0433/3862/9275/files/fodifasesomede.pdf
    • https://cdn.shopify.com/s/files/1/0437/7041/3207/files/roger_cpa_textbook.pdf
    • https://cdn.shopify.com/s/files/1/0432/9763/6512/files/55211321202.pdf
    • https://cdn.shopify.com/s/files/1/0431/5126/1853/files/mabafipokamanufezugizub.pdf
    • https://cdn.shopify.com/s/files/1/0429/8362/0757/files/88860693064.pdf
    • https://static.usrfiles.com/ugd/b8c837_442e979460214b15872380ed30b92c52.pdf
    • https://static.usrfiles.com/ugd/b8c837_767516d29e734ebca158c269edd07f9c.pdf
    • https://static.usrfiles.com/ugd/b8c837_29d012bf2c4844658994e1a5db8f2014.pdf
    • https://static.usrfiles.com/ugd/b8c837_92460ea311c6494fae54c155528fd7d6.pdf
    • https://cdn.shopify.com/s/files/1/0437/1477/3147/files/xewaluxud.pdf
    • https://cdn.shopify.com/s/files/1/0463/5489/0913/files/lazy_town_lil_jon_mashup.pdf
    • https://cdn.shopify.com/s/files/1/0437/6598/9530/files/96691364955.pdf
    • https://cdn.shopify.com/s/files/1/0434/8729/7696/files/incident_report_form_for_child_care.pdf
    • https://cdn.shopify.com/s/files/1/0428/7817/3351/files/ejemplo_de_auditoria_financiera_de_una_empresa.pdf
    • https://cdn.shopify.com/s/files/1/0435/1731/3178/files/wotisodaposanivotosepube.pdf
    • https://cdn.shopify.com/s/files/1/0434/9945/4628/files/tarakivejexojorasivaneta.pdf
    • https://cdn.shopify.com/s/files/1/0436/4474/7929/files/samojexad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a9c.bin
fca81df314ffbb2735fcb491eacfcca00089fbd0fd978a82831598acdf9b5dd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A9C 5100 bytes
font_01_sfnt_off00005c00.bin
5cb71f202ca32da4ec4a6fb38caa23a9be188d691d859940f2cf5a0bae5ffedd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C00 9844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.