Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7fc048c840294af…

MALICIOUS

PDF

45.7 KB Created: 2020-09-20 08:23:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f610d0ec9e502ea8d4a61ef76aeafe00 SHA-1: a48baaa5e012d9d69c6d4f29f0420fc663481303 SHA-256: e7fc048c840294afd7b0c59c4419d753f8309795123711aea75cdc595a79838c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, including a critical redirector link to 'https://ttraff.link/wix?keyword=buscando+a+alaska+pdf+descarga+directa'. It also functions as a link farm, directing users to a large number of other PDF files, many of which appear to be SEO spam. The ML classifier strongly indicates maliciousness, supporting the conclusion that this PDF is part of a distribution or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=buscando+a+alaska+pdf+descarga+directa
    • http://powote.kathyjohnsonart.com/uploads/1/3/0/7/130775181/lazibisaj-sarep-wapobi.pdf
    • http://files.kangarooislandvet.com/uploads/1/3/1/0/131070604/7a562508.pdf
    • http://files.salutecug.com/uploads/1/3/1/6/131606186/f546490093.pdf
    • https://318796e9-f5df-4d91-b5ff-3b7e51262f3c.filesusr.com/ugd/031dda_dbdb3cf1a66941f9bcd308ad99870d62.pdf?index=true
    • https://208ab16c-12af-43bf-b0ad-ccc28aca537d.filesusr.com/ugd/1f2646_0a44dbf6b00748d7af0f2dc1346dad72.pdf?index=true
    • https://bb293ede-7a47-452a-a2ca-63bb9888a602.filesusr.com/ugd/ffe0d3_15b29288a47a462cabc29b3bc58dd235.pdf?index=true
    • https://80a0f764-8f38-4798-b817-9ef2eebbd28f.filesusr.com/ugd/2f3ac6_9c053c10e6954c4b88967d295ad493eb.pdf?index=true
    • https://97752b8a-c4fd-4c77-b139-10fa0e6641f2.filesusr.com/ugd/1e52da_f09bd9bc0d2d429cbc2e18255abd4ea3.pdf?index=true
    • https://b13ecb4b-ef23-4bae-87fd-3343e7b4e0d2.filesusr.com/ugd/d2751c_25840aff35cc47e29b9200be35965a5a.pdf?index=true
    • https://492f5e6e-8a7d-4e71-8068-e0bf4e311e97.filesusr.com/ugd/2072cd_2a1b4d81850f406d9123d9a55ae35ceb.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/9957/7756/files/mastering_the_boards_step_2.pdf
    • https://cdn.shopify.com/s/files/1/0434/2926/5564/files/anatomy_trains_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0484/8284/4834/files/57603685096.pdf
    • https://cdn.shopify.com/s/files/1/0430/2897/1674/files/68625433190.pdf
    • https://cdn.shopify.com/s/files/1/0432/9691/5616/files/88822590738.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007523.bin
ad3688ffb20734aeafc0465440715d110f74654cae9d79377629bb78b0fedb31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7523 5436 bytes
font_01_sfnt_off000087b7.bin
1350610fb1c149d5ea4fe37105a76f13f533c34b63cb2577f07a09a0bf5dba6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87B7 10036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.