Malicious PDF — malware analysis report

Static analysis result for SHA-256 e595d6930a7f958a…

MALICIOUS

PDF

44.4 KB Created: 2020-07-12 18:23:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fc188944ba7fea2cfc36348e9163dbda SHA-1: 1fafeb81abb337885cb018b1ea1fff7755b437c6 SHA-256: e595d6930a7f958ac79ecc5e3686fe3482095301de2caa690a5d4be8534a7110
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external PDF files hosted on various domains, indicating a link farm or redirection strategy. One prominent link directs to a known malicious redirector. The document body, though partially corrupted, contains the text 'Les pièces de la maison en anglais exercices pdf' and the URL 'https://ttraff.com/wb?keyword=les%20pi%C3%A8ces%20de%20la%20maison%20en%20anglais%20exercices%20pdf', suggesting a lure to engage the user with educational content while redirecting them to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=les%20pi%C3%A8ces%20de%20la%20maison%20en%20anglais%20exercices%20pdf
    • http://files.raleighfencebuilder.com/uploads/1/3/1/3/131380915/tarajugowusubob.pdf
    • http://files.kimkirch.com/uploads/1/3/0/7/130775827/welobozutudirol-fulunim.pdf
    • http://files.avrilstaple.com/uploads/1/3/0/8/130873791/9834435.pdf
    • http://files.nobleprincess.com/uploads/1/3/0/8/130873997/vigowijexa-wekopixexed.pdf
    • http://files.wandalaclaire.ca/uploads/1/3/0/7/130740256/4097248.pdf
    • http://files.swpay.uk/uploads/1/3/1/3/131383325/pegepo-kanow-bipomufun.pdf
    • http://files.bcdt.co.uk/uploads/1/3/2/6/132695300/72fdb88198476e.pdf
    • http://files.positiveposturenz.com/uploads/1/3/1/4/131483550/sivaf_polatafi_zuwovil.pdf
    • http://files.pennjournalconlaw.com/uploads/1/3/2/6/132682694/bawibixijuzawo.pdf
    • https://tusivedugex.files.wordpress.com/2020/06/jubewakasonosev.pdf
    • https://megewusebu.files.wordpress.com/2020/06/xebizuzexumadarawimavuve.pdf
    • https://fivitulid.files.wordpress.com/2020/07/vinelojemujatajejavitib.pdf
    • https://jisagusabok.files.wordpress.com/2020/07/97839514572.pdf
    • https://gelisobutori.files.wordpress.com/2020/06/11566685528.pdf
    • https://cdn.shopify.com/s/files/1/0431/5712/7336/files/setesivukogi.pdf
    • https://cdn.shopify.com/s/files/1/0433/3525/4171/files/wevel.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/21154843933.pdf
    • https://cdn.shopify.com/s/files/1/0429/7372/4825/files/likiwewobasotefu.pdf
    • https://cdn.shopify.com/s/files/1/0431/5486/6333/files/gefenenos.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bebupikisanomagidilu.pdf
    • https://cdn.shopify.com/s/files/1/0432/7338/8190/files/xogakalotiwoda.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/91960476686.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zurutadodusabexefiba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069d6.bin
412ae5a64a916293913d81c65e4a408cf14529caaf4d629f9b34d50a5cd3f7ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69D6 5332 bytes
font_01_sfnt_off00007b98.bin
f865d2e12acee6cc9f600d26999c4af2d7f924eab924c89015f7e164de652e93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B98 12100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.