Malicious PDF — malware analysis report

Static analysis result for SHA-256 eee08d45e09f53c6…

MALICIOUS

PDF

36.9 KB Created: 2020-08-25 23:28:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 36935a478d7acfac3c92809c47318d14 SHA-1: a6e9507a777dc4ef8a7e2bfcb643822b8bc83e1b SHA-256: eee08d45e09f53c659857a82e5a8060a79bbee04a066667ffe65d2ec209689fa
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com, and one critical link to a known malicious redirector at ttraff.com. The document body, though heavily obfuscated, contains text related to a textbook search query and the malicious redirector URL. This indicates a likely phishing or malware distribution attempt disguised as a search result. No scripts were extracted, limiting the analysis of specific execution behaviors.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=social+psychology+myers+12th+edition+pdf+free
    • http://kanufo.beapaige.co.uk/uploads/1/3/1/4/131437130/6ba3a95.pdf
    • http://files.sydneyrosephotos.com/uploads/1/3/1/8/131856146/kisenapemino-luvenofunutib.pdf
    • http://files.signsbytran.com/uploads/1/3/0/9/130969340/6780620.pdf
    • http://files.be-remarkable.com.au/uploads/1/3/2/6/132696263/wimudubo-laxuna.pdf
    • https://cdn.shopify.com/s/files/1/0434/4951/6199/files/books_of_the_bible_word_search.pdf
    • https://cdn.shopify.com/s/files/1/0432/4897/6027/files/factores_psicologicos_en_la_obesidad.pdf
    • https://cdn.shopify.com/s/files/1/0436/1689/5133/files/23278711469.pdf
    • https://cdn.shopify.com/s/files/1/0430/4342/2362/files/63089738363.pdf
    • https://cdn.shopify.com/s/files/1/0432/2826/6654/files/35256615694.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rowogumidakedodovejizana.pdf
    • https://cdn.shopify.com/s/files/1/0462/6707/2669/files/tubifovizoxekanojuzuporit.pdf
    • https://cdn.shopify.com/s/files/1/0433/4272/5285/files/piratubim.pdf
    • https://cdn.shopify.com/s/files/1/0427/7898/4614/files/44449291650.pdf
    • https://cdn.shopify.com/s/files/1/0429/8499/7025/files/fuminawutigagurew.pdf
    • https://cdn.shopify.com/s/files/1/0427/5604/7004/files/vitizowaneravimusidal.pdf
    • https://cdn.shopify.com/s/files/1/0433/6310/6968/files/82461128836.pdf
    • https://cdn.shopify.com/s/files/1/0427/9359/9132/files/6th_grade_math_worksheets_fractions_with_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004fa1.bin
2d4825dd4857fedbe5a7ca7e359e9d84b75f5a6864973818c58b50a180598324		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4FA1 5960 bytes
font_01_sfnt_off000063ba.bin
f13e169ff0390bc0cdc7c5d5bb06584c2981141c49c7df37ab1b223d6bcb4568		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63BA 10180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.