Malicious PDF — malware analysis report

Static analysis result for SHA-256 e36962ccde1077d4…

MALICIOUS

PDF

48.5 KB Created: 2020-08-20 09:31:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5e472b8c8a1a9177512e66678bba570 SHA-1: e4b1374f27ce8b68a577bf9d366041a4071f0bac SHA-256: e36962ccde1077d4fa92a8e0436c31a570fffebbf38ea3393dd1c798997179c8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of embedded links, forming a link farm. One of these links, https://ttraff.com/pify?keyword=ariesms+leveling+guide+200%252B, is identified as a malicious redirector. The document body, though heavily obfuscated, contains references to this URL and other PDF files hosted on Shopify. This suggests a phishing or malicious redirection attempt, likely to lure users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ariesms+leveling+guide+200%252B
    • http://files.bearyoursins.com/uploads/1/3/1/4/131438642/lerabipefapedet.pdf
    • https://cdn.shopify.com/s/files/1/0431/3694/2234/files/86827160391.pdf
    • https://cdn.shopify.com/s/files/1/0432/2335/1458/files/pazoxuva.pdf
    • https://cdn.shopify.com/s/files/1/0433/0936/7454/files/sowajanelalixuzilarer.pdf
    • https://cdn.shopify.com/s/files/1/0429/3709/0211/files/42271115106.pdf
    • https://cdn.shopify.com/s/files/1/0431/8681/5139/files/doredolex.pdf
    • https://cdn.shopify.com/s/files/1/0431/9500/7137/files/jigetatimitalanimenijog.pdf
    • https://cdn.shopify.com/s/files/1/0432/7319/1580/files/34703442297.pdf
    • https://cdn.shopify.com/s/files/1/0430/1147/3571/files/mifaxugaxorugadopa.pdf
    • https://cdn.shopify.com/s/files/1/0428/7181/6358/files/waxalujiruxazejoladeniv.pdf
    • https://cdn.shopify.com/s/files/1/0432/0077/4308/files/jetadatipejevuk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007186.bin
d09fe29c926d768f6ed574adfa18e29506c62d441eda524559aa60e9b64843d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7186 5256 bytes
font_01_sfnt_off00008357.bin
2c718df52135b15a6690592d537e3b8fbe7821e048fe69d7417d51bdc0a1a91b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8357 16336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.