Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb1c469b6654eba0…

MALICIOUS

PDF

39.3 KB Created: 2020-09-18 00:42:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 989dac292e4514a352a764589dab7504 SHA-1: 22dacd7e342fcd0db32f6d949c686e29d0a9502b SHA-256: eb1c469b6654eba0c9e3df958e3613b7a2d0306bada225e13ef6cc99cf327f7d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with one URL identified as a malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and other benign-looking URLs, likely to disguise the malicious intent. The primary malicious URL is https://ttraff.me/wix?keyword=gymboree+class+schedule+basking+ridge+nj, which is designed to redirect the user to further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=gymboree+class+schedule+basking+ridge+nj
    • https://77c71392-2c10-4b7c-99af-1f
    • https://ce0d518b-5b54-47aa-b2ed-4d9909573c92.filesusr.com/ugd/811c4f_fc3e422a4b194f98b61b54fc51acf8e0.pdf?index=true
    • https://de31a46b-faee-4a6e-aa42-500131a8d249.filesusr.com/ugd/8b9728_e69d083f3a4045a3a517a183283d591c.pdf?index=true
    • https://98924b8b-1355-48b6-9292-2e1ba912f7da.filesusr.com/ugd/46a5ae_f6363627224d424995e092b6b162bbca.pdf?index=true
    • https://b15e4143-992f-48e6-a4dd-cf4779c77bfb.filesusr.com/ugd/760a88_d453961b477a4e3386d35fc69af71de6.pdf?index=true
    • https://483b2783-0303-4fc0-8b89-3a70a5ff41e9.filesusr.com/ugd/f1780b_fe01a5ebee344fb584cc87ca3b6ab59a.pdf?index=true
    • https://58247d53-78e4-4925-83b8-10726e14f4c3.filesusr.com/ugd/185811_1774adfae8c142479cd0b7f02720ee87.pdf?index=true
    • https://8fa4322d-c5fd-4177-b256-d2a62d52d857.filesusr.com/ugd/717a42_f84f978ac67044bf9654eba9299669d9.pdf?index=true
    • https://522569fc-ac5c-4132-8f7a-df01ffefae88.filesusr.com/ugd/a32c20_9427053596d64d4a9cc6c5561889056b.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0437/9898/6909/files/english_synonyms_and_antonyms.pdf
    • https://cdn.shopify.com/s/files/1/0430/2657/9610/files/uae_calendar_2020_with_holidays.pdf
    • https://cdn.shopify.com/s/files/1/0433/4557/6088/files/soreroziputijitek.pdf
    • https://cdn.shopify.com/s/files/1/0439/8769/7822/files/tatupupigurazogubelaseves.pdf
    • https://b9203928-414d-4d0d-951a-c00ee7f71f71.filesusr.com/ugd/0cd019_0dd4664f1c3f486bb90cadc6c612074d.pdf?index=true
    • https://e0d04271-313c-4ee9-8581-bc499244d56b.filesusr.com/ugd/7be1cd_d6a6083966ef4c779b1e80f998737296.pdf?index=true
    • https://55e62cc8-ede4-455f-89ab-23d5f1f7853d.filesusr.com/ugd/a4e402_924f40da6894470d8a3c435fafe833cb.pdf?index=true
    • https://a9a0fef4-7c76-43eb-8d3d-d6bb01aaf119.filesusr.com/ugd/f35da0_e52f28de724d4c81a993aa2068fa48f2.pdf?index=true
    • https://77c71392-2c10-4b7c-99af-1f568274ca15.filesusr.com/ugd/405339_3327d03531d4448699d4989261cf27d0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a37.bin
bbb13ddf0080084590b5f450ec65d4f6919da9df209675928081f7b699d10ece		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A37 5764 bytes
font_01_sfnt_off00006db3.bin
bc7c1e871ae86b05b27b59b0ea7e6f6bc37afa8d55ee67d075c259d5aa0b5af8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DB3 10112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.