Malicious PDF — malware analysis report

Static analysis result for SHA-256 e87f2c6448e2456c…

MALICIOUS

PDF

70.4 KB Created: 2020-08-19 09:19:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef0e0b1dc451b0bdd966dc76a2349dcd SHA-1: 3d3714348456f9ba8e3a6bd1f42d35fab66f46b8 SHA-256: e87f2c6448e2456cb55fa9a92509e117b32486b0602a19b0c9e4755e794f4dbe
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link disguised as a 'Chgg stock earnings report'. This link redirects to 'https://ttraff.cc/pify?keyword=chgg+stock+earnings+report', which is identified as a malicious redirector. The document also features a large number of embedded links pointing to various Shopify domains, likely part of a link farm to improve SEO for malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=chgg+stock+earnings+report
    • http://files.southernaddictiondecor.com/uploads/1/3/1/6/131637362/7413174.pdf
    • http://files.averyandersongourdart.com/uploads/1/3/0/9/130968942/9958750.pdf
    • http://bojal.cfhrc.com/uploads/1/3/1/4/131408172/numiwopewuligebobom.pdf
    • http://files.cakesncupcakes4u.com/uploads/1/3/1/4/131406337/wizukusura-vawipaluw-pajotajifogo-legasevetejexa.pdf
    • http://gizisaf.drbrentschillinger.com/uploads/1/3/0/7/130739873/30373e237a4b.pdf
    • https://cdn.shopify.com/s/files/1/0432/5074/5512/files/logafarijiporuvixusarajo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/12086745869.pdf
    • https://cdn.shopify.com/s/files/1/0449/9714/8830/files/fumogilevava.pdf
    • https://cdn.shopify.com/s/files/1/0429/5327/7589/files/rogipatokopufi.pdf
    • https://cdn.shopify.com/s/files/1/0434/3188/6998/files/ancillary_justice_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/9434/3841/files/zijedavelubitadamexep.pdf
    • https://cdn.shopify.com/s/files/1/0439/3838/1992/files/majujijapa.pdf
    • https://cdn.shopify.com/s/files/1/0431/6335/3244/files/approaches_and_methods_in_language_teaching_3rd.pdf
    • https://cdn.shopify.com/s/files/1/0440/8626/3960/files/android_studio_gitignore.pdf
    • https://cdn.shopify.com/s/files/1/0437/7529/5640/files/don_juan_tenorio_cervantes_virtual.pdf
    • https://cdn.shopify.com/s/files/1/0432/1017/8717/files/gaxenibitulefojegobare.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d487.bin
92be8d239c8b6cba8dcdcd18ade3da61c9b385781a6618f1372cafacf388071c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD487 5132 bytes
font_01_sfnt_off0000e5f9.bin
350a15d5468071d77fd3892af424a409cbdb4804ac13b3adfb703d7525711842		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5F9 11424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.