Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdde4e27c3137733…

MALICIOUS

PDF

42.8 KB Created: 2020-08-30 18:46:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3a03652243444b5298c8f7921a87ade0 SHA-1: dd19e62e8b7140a1b2a1815d7733c81db11373ba SHA-256: fdde4e27c3137733a3332ff6ac07bbe9e5dc84c726654cfa20278e5e9d765bc5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, contains a URL pointing to a redirector service. This suggests the primary intent is to redirect the user to a malicious site, potentially for phishing or malware distribution. The presence of many Shopify links, some marked as benign, indicates a link farm strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=anatomy+and+physiology+an+integrative+approach+pdf+download
    • https://cdn.shopify.com/s/files/1/0436/5497/1557/files/jujanesavobubojobip.pdf
    • https://cdn.shopify.com/s/files/1/0438/8500/2920/files/make_compost_tea_without_aerator.pdf
    • https://cdn.shopify.com/s/files/1/0465/1774/7870/files/michael_bakunin.pdf
    • https://cdn.shopify.com/s/files/1/0433/6461/4303/files/lapebinegovofawurukarawek.pdf
    • https://cdn.shopify.com/s/files/1/0433/3237/0590/files/hiit_workout_book.pdf
    • https://static.usrfiles.com/ugd/b8c837_9b6a671e68074d0092aa7839ba5754c4.pdf
    • https://static.usrfiles.com/ugd/24853a_75efe02c66f64d31b52543acfe979950.pdf
    • https://static.usrfiles.com/ugd/b8c837_d555d847c9024a99bd9a694c86e40bf4.pdf
    • https://cdn.shopify.com/s/files/1/0435/8314/4093/files/gerente_administrativo_perfil_y_funciones.pdf
    • https://cdn.shopify.com/s/files/1/0434/9100/0472/files/98684343908.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/4274895189.pdf
    • https://cdn.shopify.com/s/files/1/0437/8034/1917/files/zafazugasilenojolubes.pdf
    • https://cdn.shopify.com/s/files/1/0431/6856/3351/files/tofunotegovewamizutitun.pdf
    • https://cdn.shopify.com/s/files/1/0446/1376/3235/files/anti_tb_drugs_pharmacology.pdf
    • https://cdn.shopify.com/s/files/1/0428/9508/1635/files/renudul.pdf
    • https://cdn.shopify.com/s/files/1/0428/3206/8775/files/55481656009.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/52299098946.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006524.bin
97a46714785b2b8c5661f9bc6d0d2ec261a4b5a355af79dd1d814ebe8a9503b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6524 5812 bytes
font_01_sfnt_off000078d6.bin
1dd5477c8ce89f8ced254cae6622f9bb57fb2d74a0bca7a8dcd527e6081dd3fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78D6 10788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.