Malicious PDF — malware analysis report

Static analysis result for SHA-256 01efcc0f4be8a6d2…

MALICIOUS

PDF

62.3 KB Created: 2020-08-18 17:58:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2f51dda3a8c0d3f8bfba98351df0975b SHA-1: 52e502dd63e01dbc4f280f97bf7b33e7d039bda0 SHA-256: 01efcc0f4be8a6d2415bebb6cc72ef867c1fa588cd8a377a7648eb6b65ec6d51
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, suggesting an SEO spam or link farm operation. One prominent link, 'https://ttraff.ru/pify?keyword=arunachal+university+of+studies+fee+structure+pdf', is flagged as malicious and likely serves as a redirector to malicious content. The document body, though heavily obfuscated, contains text related to 'Arunachal university of studies fee structure', reinforcing the lure. No scripts were extracted, but the presence of numerous links and the malicious redirector indicate a phishing or spam distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=arunachal+university+of+studies+fee+structure+pdf
    • http://wibif.thelittletreatmentroom.ca/uploads/1/3/0/8/130814328/acfb9.pdf
    • http://files.ekoforteang.net/uploads/1/3/1/3/131379117/aa3f77.pdf
    • http://files.brownbrotherscruises.com/uploads/1/3/1/3/131380120/7087168.pdf
    • http://zusudis.shrubmadness.com/uploads/1/3/2/7/132740285/lanorebaw-visiton.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0437/0802/2938/files/bezojevopelo.pdf
    • https://cdn.shopify.com/s/files/1/0431/5647/1959/files/47153614190.pdf
    • https://cdn.shopify.com/s/files/1/0460/6518/9019/files/ruvonabirole.pdf
    • https://cdn.shopify.com/s/files/1/0435/2750/4024/files/kusixinir.pdf
    • https://cdn.shopify.com/s/files/1/0435/4444/5092/files/michelman_violin_varnish.pdf
    • https://cdn.shopify.com/s/files/1/0431/9969/2958/files/45476016863.pdf
    • https://cdn.shopify.com/s/files/1/0432/8947/7273/files/military_alphabet_chart.pdf
    • https://cdn.shopify.com/s/files/1/0438/9725/8136/files/16940130669.pdf
    • https://cdn.shopify.com/s/files/1/0430/6593/3985/files/lisiwasefuwemidadur.pdf
    • https://cdn.shopify.com/s/files/1/0434/1206/2364/files/63417025428.pdf
    • https://cdn.shopify.com/s/files/1/0437/5969/8077/files/calculus_b_v_ramana.pdf
    • https://cdn.shopify.com/s/files/1/0440/2230/0822/files/viwim.pdf
    • https://cdn.shopify.com/s/files/1/0432/8790/4411/files/21278866693.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008493.bin
b22df8ff28785fbff11617b798c6dd818180078ee71127b41afd7005ee94074a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8493 5276 bytes
font_01_sfnt_off00009680.bin
1424133b5ed05aca7ca42149fe68d0684805604dd2cb3ca551737c0cb0e49723		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9680 16252 bytes
font_02_sfnt_off0000c7ff.bin
ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC7FF 16164 bytes
font_03_sfnt_off0000dd18.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD18 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.