Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef42b6f7066d5d03…

MALICIOUS

PDF

46.9 KB Created: 2020-08-30 04:16:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: abb23f6a671f886f39c966d3f3f402b9 SHA-1: e1fc0acc88d1f0f0589fb02dc950aa2c02e7e3b3 SHA-256: ef42b6f7066d5d037b9a07b583902c8c9307d2892f349d6257d4cd720d03ac1e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains, forming a link farm. One of these links, however, redirects through ttraff.cc, a known malicious redirector. The document body contains garbled text and what appears to be metadata, but the primary malicious intent is derived from the embedded links and the PDF structure itself. The presence of a malicious redirector indicates an attempt to lead the user to a harmful destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=seagate+pipeline+hd+2+500gb
    • https://cdn.shopify.com/s/files/1/0428/0621/4819/files/bekhayali_female_version_song_pagalworld.pdf
    • https://cdn.shopify.com/s/files/1/0432/2010/7428/files/boxogoja.pdf
    • https://cdn.shopify.com/s/files/1/0434/5570/9351/files/58292707341.pdf
    • https://cdn.shopify.com/s/files/1/0450/9345/3987/files/cervical_cancer_statistics_worldwide_2020.pdf
    • https://cdn.shopify.com/s/files/1/0433/5537/3720/files/xevubixuwuraja.pdf
    • https://static.usrfiles.com/ugd/8de238_28fe0c6282e64861a4a48d49b2c33592.pdf
    • https://static.usrfiles.com/ugd/3aee12_0cc7e8229bbb48e8a09b3228e5fb5868.pdf
    • https://static.usrfiles.com/ugd/69695d_a248f03467a7425ebc876cb791ab0ea8.pdf
    • https://static.usrfiles.com/ugd/b8c837_c02f80ebf58c47f5a7dda6f58f20754d.pdf
    • https://static.usrfiles.com/ugd/b8c837_f6dc46405b074502859cef609ce0d915.pdf
    • https://cdn.shopify.com/s/files/1/0431/1056/3994/files/motikumulov.pdf
    • https://cdn.shopify.com/s/files/1/0432/9121/3990/files/47550729133.pdf
    • https://cdn.shopify.com/s/files/1/0427/4972/2790/files/wedding_officiant_speech_template.pdf
    • https://cdn.shopify.com/s/files/1/0437/5783/0298/files/dikuxivubosedevedudo.pdf
    • https://cdn.shopify.com/s/files/1/0431/7102/0957/files/tesis_sobre_aprendizaje_significativo.pdf
    • https://cdn.shopify.com/s/files/1/0432/7591/1321/files/ararara_khatarnak_dj_song.pdf
    • https://cdn.shopify.com/s/files/1/0431/3025/7568/files/91420970006.pdf
    • https://cdn.shopify.com/s/files/1/0434/3503/2737/files/manotatusukopov.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051f5.bin
9f3fac83d875163d307472240e05e70dee4c4011d2ad63e575b3c02a73d22c6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51F5 5588 bytes
font_01_sfnt_off000064dc.bin
8170fc3fc409a1c0877eb8fc97c1aa6793fdaed6054e537339186737bbbebbfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64DC 1648 bytes
font_02_sfnt_off00006d1f.bin
7c94c1a665f8ab68a27f445a07524f82363fd97a217b4dbb0270227c8cf83307		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D1F 13984 bytes
font_03_sfnt_off000098cd.bin
a109d5cc1a8599929bd7702a943337bd153faf2776ff4e30ac39a15e38c17cef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98CD 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.