Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5fb071dc75d065c…

MALICIOUS

PDF

44.9 KB Created: 2020-08-29 20:16:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 124ee53818c32ace4992f90ef1e4b8ea SHA-1: 1276fbe9d00c09d5bbaf8057ea7d377c25c0753c SHA-256: e5fb071dc75d065c03a16b307e8d3f092dc7b119a9687c37e991f3f7c79c9bf4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a large number of embedded links, many of which point to external PDF files hosted on static.usrfiles.com and cdn.shopify.com. One critical heuristic firing indicates that the PDF links to known malicious redirector infrastructure via the URL https://ttraff.com/wix?keyword=digital+logic+circuit+analysis+and+design+answers. The ML classifier also strongly flagged this PDF as malicious. The document body appears to be obfuscated but contains references to the academic topic 'Digital logic circuit analysis and design answers', likely as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=digital+logic+circuit+analysis+and+design+answers
    • https://static.usrfiles.com/ugd/b8c837_c2d11ba8215d4f77a198bde4d589db48.pdf
    • https://static.usrfiles.com/ugd/79e0dc_4104e7de4dc0421cb57517e755c508fb.pdf
    • https://static.usrfiles.com/ugd/eda9ba_16c18be0ed4049799aa0c0ba20d8c128.pdf
    • https://static.usrfiles.com/ugd/b8c837_9efd570261854a398a815d6a1a0108b5.pdf
    • https://cdn.shopify.com/s/files/1/0429/2398/3015/files/the_painted_veil.pdf
    • https://cdn.shopify.com/s/files/1/0429/8568/5153/files/jujozaretibutidexebi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8960/0414/files/59498326545.pdf
    • https://cdn.shopify.com/s/files/1/0427/6020/8540/files/dajikagatobumokava.pdf
    • https://cdn.shopify.com/s/files/1/0432/6473/7448/files/zevul.pdf
    • https://cdn.shopify.com/s/files/1/0437/6700/5333/files/morphology_of_flowering_plants_ncert_book.pdf
    • https://static.usrfiles.com/ugd/824332_8e58331d0027471894afe5c68211691f.pdf
    • https://static.usrfiles.com/ugd/b8c837_4bda2b2792294a46a4d80023fb5bdc56.pdf
    • https://static.usrfiles.com/ugd/8ab72e_c158665257b843ffad1c10a1f054aaf0.pdf
    • https://static.usrfiles.com/ugd/b8c837_7bcc34a0377846cb9b108c067d771ad2.pdf
    • https://static.usrfiles.com/ugd/b8c837_83f0769e4102485a8a3e32a7e1e7d435.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000557d.bin
2421cc8c5c1c8c11033bdc1e3834925263aaed9fdac5132727ba87f5fa2d0d87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x557D 3132 bytes
font_01_sfnt_off000060bc.bin
72b272d2a2715eaf20bca921b266a1bba23eceec3e990f47a395185dadb3676d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60BC 5184 bytes
font_02_sfnt_off0000727a.bin
b892df9b8b4d9cf724541fb98b9055e1ad859f663ed19f2f520cbb93e6d52cee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x727A 10436 bytes
font_03_sfnt_off000095f3.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95F3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.