Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8acb3edf83bd466…

MALICIOUS

PDF

39.3 KB Created: 2020-08-16 18:29:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc93a94ab87b239e7e43dff8df52b1ec SHA-1: 3c6b59233d5e61cf0162ce47ccc0ff9cb2e127cf SHA-256: e8acb3edf83bd466ef2f8433c6a48121f4acce679c7b8c5e876a921814bfbd0d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains numerous embedded links, many of which point to a link farm hosted on cdn.shopify.com. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is further obfuscated by a keyword related to hacking a mobile game. The document body, though heavily corrupted, also contains the same lure text. The primary attack pattern involves luring the user to click on malicious links that likely lead to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=hungry+shark+evolution+hack++android
    • http://mukini.julielechner.net/uploads/1/3/1/3/131383483/9838355.pdf
    • https://cdn.shopify.com/s/files/1/0430/9568/7328/files/kopub.pdf
    • https://cdn.shopify.com/s/files/1/0428/7492/9319/files/atomic_absorption_spectrophotometer.pdf
    • https://cdn.shopify.com/s/files/1/0439/9883/8942/files/ate_ve_su_3.pdf
    • https://cdn.shopify.com/s/files/1/0436/9979/8166/files/fusiviwijib.pdf
    • https://cdn.shopify.com/s/files/1/0434/0717/9941/files/bugiganitoted.pdf
    • https://cdn.shopify.com/s/files/1/0433/3862/9270/files/magofaxeroxodosiweber.pdf
    • https://cdn.shopify.com/s/files/1/0429/5956/9055/files/5359074379.pdf
    • https://cdn.shopify.com/s/files/1/0431/5804/4827/files/rovugaridebiraril.pdf
    • https://cdn.shopify.com/s/files/1/0428/3292/0739/files/ann_arbor_traffic.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c5c.bin
1007cbbaf522d5a9baceb1bf1dd771163bd1b6346d2f88cbdecc2d9af0add808		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C5C 5388 bytes
font_01_sfnt_off00006ea7.bin
67760b1a4be5c2f3c851f1aa2d017b107f299541f5791e722f856a0e074923df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EA7 9956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.