Malicious PDF — malware analysis report

Static analysis result for SHA-256 e472a4ff7d167a2c…

MALICIOUS

PDF

60.4 KB Created: 2020-08-11 09:16:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e02ad90351e9a81d14eeaed27ec62056 SHA-1: bd7293517674acb49cdccadbf86e1de5f5a0a837 SHA-256: e472a4ff7d167a2c9782c6bc93c4f6738e83cb3ee57cfcdc399f218b98e2fc89
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=amsco+apush+period+3+pdf', which is flagged as malicious. This suggests the PDF is designed to act as a link farm or lure, directing users to malicious infrastructure. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=amsco+apush+period+3+pdf
    • http://files.wlreading.org/uploads/1/3/0/7/130775371/a27cb4591.pdf
    • http://files.meganalms.com/uploads/1/3/0/7/130739719/mawilewe-musegizororeli-xisedizifukob-jirusujilufuz.pdf
    • http://zizesujeg.swiftfitnwa.com/uploads/1/3/2/6/132681946/2340606.pdf
    • http://files.webberswhippingpost.com/uploads/1/3/1/4/131483275/1042757.pdf
    • http://files.thestrongfamiliescommission.com/uploads/1/3/0/7/130739651/senix-xofevep.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gijamibumiji.pdf
    • https://cdn.shopify.com/s/files/1/0428/0814/8127/files/dotovip.pdf
    • https://cdn.shopify.com/s/files/1/0431/7646/0448/files/lifalep.pdf
    • https://cdn.shopify.com/s/files/1/0429/1995/2550/files/hong_kong_bus_map.pdf
    • https://cdn.shopify.com/s/files/1/0431/2236/0469/files/65062284467.pdf
    • https://cdn.shopify.com/s/files/1/0432/3583/6068/files/dutugox.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zetuvoveluganimuwejipas.pdf
    • https://cdn.shopify.com/s/files/1/0431/1485/6610/files/40549262131.pdf
    • https://cdn.shopify.com/s/files/1/0429/7008/7587/files/zadonigi.pdf
    • https://cdn.shopify.com/s/files/1/0446/0737/3476/files/coliformes_totales_nom_112_ssa1_1994.pdf
    • https://cdn.shopify.com/s/files/1/0431/1633/1172/files/31676836394.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/faramerujinusopuko.pdf
    • https://cdn.shopify.com/s/files/1/0429/6704/0163/files/auditoria_fiscal_mexico.pdf
    • https://cdn.shopify.com/s/files/1/0432/7813/9556/files/latefafosojedewofoti.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d79.bin
83b827a761dd697e2c442f9680784695705dca481772416ab6c180d32b40b098		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D79 5516 bytes
font_01_sfnt_off0000800f.bin
5a62d3502271077e3b33138c40788b8aa864cf805d13ac4f9f37627ad99d9332		 pdf-font-stream PDF embedded font (sfnt) at offset 0x800F 14876 bytes
font_02_sfnt_off0000ab26.bin
8f6cd3e897f8df8280f2a4dec24bed65c1d127ea93135b8f2645d4361928705a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB26 10556 bytes
font_03_sfnt_off0000cf49.bin
354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF49 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.