Malicious PDF — malware analysis report

Static analysis result for SHA-256 01949af8d9614883…

MALICIOUS

PDF

71.0 KB Created: 2020-08-12 01:39:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ac6ccff93ba41740becf18f22017b61 SHA-1: 84702e973920a9eff078b42587d8e5952cd4d14c SHA-256: 01949af8d9614883a677fa64164952aaa005ab8004e8882771770e18f7a01ba2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector at `ttraff.ru`. This suggests a link farm or SEO poisoning tactic to lure users to malicious content. The document body itself is heavily obfuscated and contains the malicious URL, indicating an attempt to disguise its true purpose. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=gymnopedie%20no.%201%20sheet%20music%20pdf
    • http://files.jimmyzhan.ca/uploads/1/3/1/1/131163705/24512da11f.pdf
    • http://files.slesanz.com/uploads/1/3/2/6/132681901/zavesusu_takedof_jepafipe_duwibomipekewa.pdf
    • http://files.furbabiesandfriendsphotography.com/uploads/1/3/1/0/131070351/3608946.pdf
    • http://files.raphaelpilgrimage.org.uk/uploads/1/3/0/9/130969372/talubozuzer_borad.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://cdn.shopify.com/s/files/1/0434/0416/5285/files/admin_officer_interview_questions.pdf
    • https://cdn.shopify.com/s/files/1/0430/6557/3537/files/water_pollution_problems_and_solutions.pdf
    • https://cdn.shopify.com/s/files/1/0430/0318/3258/files/15951804020.pdf
    • https://cdn.shopify.com/s/files/1/0436/6876/6873/files/61785060713.pdf
    • https://cdn.shopify.com/s/files/1/0431/5004/9446/files/agronomie_cours.pdf
    • https://cdn.shopify.com/s/files/1/0437/0441/8455/files/instagram_auto_liker_script.pdf
    • https://cdn.shopify.com/s/files/1/0437/9761/0657/files/44917087072.pdf
    • https://cdn.shopify.com/s/files/1/0435/2013/1236/files/dukawubixavafi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8868/2915/files/55857388678.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000783c.bin
f6cfbc7a7301b919781062f44240ee32640c5785486c3e2985ecc278e4b40763		 pdf-font-stream PDF embedded font (sfnt) at offset 0x783C 8292 bytes
font_01_sfnt_off00009423.bin
2599d8ba4fd088218ff5d6f2591471786971d3bff489e2c693cda869e328407a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9423 5276 bytes
font_02_sfnt_off0000a604.bin
f93542dbf11e1b78b0e03947724839818dd350ad06a5f6d49fbf9462215d74ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA604 2060 bytes
font_03_sfnt_off0000afa0.bin
1d8c67f5608ef4a6a9824f8d8d899a862657ea7202581c409f54200ef4f864f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAFA0 6820 bytes
font_04_sfnt_off0000c1ec.bin
9aff78d254c5ceaba707c3578fbdc510f54473f2844b554fd4778dd5ccc04f42		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC1EC 17660 bytes
font_05_sfnt_off0000f6f8.bin
b3432b6c6b17c1e4bee884808468ac268bbacb382b5205b8505214530cdc4367		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6F8 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.