Malicious PDF — malware analysis report

Static analysis result for SHA-256 025d38a6fa7c2dce…

MALICIOUS

PDF

67.4 KB Created: 2020-08-25 02:16:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ffc614202814ef8a8f9d56cbe2a8075 SHA-1: 6ad2272d934fe66db91432204578cca9ad735b51 SHA-256: 025d38a6fa7c2dce9136006ea8fb352fb82ad57fbcb580ce76d438e0d911a257
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to a link farm designed to host numerous PDF files. One of these links, 'https://ttraff.com/pify?keyword=engineering+drawing+pdf+notes', is identified as a known malicious redirector. The ML classifier also strongly flagged this PDF as malicious, indicating a high likelihood of malicious intent. The document body itself is heavily obfuscated and contains the malicious URL, suggesting a social engineering attempt to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=engineering+drawing+pdf+notes
    • http://lujura.markchrislermusic.com/uploads/1/3/2/7/132740351/b3450b58.pdf
    • http://files.jennifercaraluzzi.com/uploads/1/3/2/6/132695662/1f2547c6c13.pdf
    • http://files.hire-alicia.com/uploads/1/3/0/9/130969712/zenusoviwugowigu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0435/6420/4193/files/xoriro.pdf
    • https://cdn.shopify.com/s/files/1/0429/9161/6153/files/belajar_microsoft_excel_dasar.pdf
    • https://cdn.shopify.com/s/files/1/0428/8184/3353/files/35317586610.pdf
    • https://cdn.shopify.com/s/files/1/0457/0044/8412/files/pltw_engineering_4._1_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/5068/7903/files/55093196887.pdf
    • https://cdn.shopify.com/s/files/1/0434/6878/3768/files/anti_slip_grp_flooring_sheets.pdf
    • https://cdn.shopify.com/s/files/1/0437/3810/3962/files/ronenelaj.pdf
    • https://cdn.shopify.com/s/files/1/0431/3438/6332/files/inamdar_book.pdf
    • https://cdn.shopify.com/s/files/1/0462/1556/1370/files/67874922296.pdf
    • https://cdn.shopify.com/s/files/1/0439/4388/7016/files/list_of_adjectives_in_english.pdf
    • https://cdn.shopify.com/s/files/1/0434/3998/0710/files/22272281487.pdf
    • https://cdn.shopify.com/s/files/1/0430/5554/6517/files/28403215908.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b6bc.bin
b1537f85f3aef13803f5bfacc5270d85de77ec0c39501e07233f5542902c57ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB6BC 5228 bytes
font_01_sfnt_off0000c8aa.bin
7e5a0bc30730124655151e3d7627fe5b446a10ae98c211da3a5b050e491aea29		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC8AA 9908 bytes
font_02_sfnt_off0000eaca.bin
852e0d6ce07a1db2e11154f4548aec4dc29a2cf073112f8b6a2b4be1be4894b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEACA 16172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.