Malicious PDF — malware analysis report

Static analysis result for SHA-256 02f3df3a2bfc67b9…

MALICIOUS

PDF

43.5 KB Created: 2020-07-31 07:42:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d15f9c6a8f92dc83682301017a1897de SHA-1: a09e42c862e759f7fafd14f437f58fec1d931cc4 SHA-256: 02f3df3a2bfc67b975bf1208c9eb73764b14fb49aec8d5c81df53e39f008a4dd
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.com' with a lure related to 'aadhar card application form'. This aligns with a payment redirection lure, a common tactic in business email compromise attacks. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, and the presence of numerous embedded URLs, many pointing to Shopify, indicates an attempt to create a link farm for SEO poisoning or to host malicious content. No scripts were extracted, but the primary attack vector appears to be the malicious URL embedded within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=new+aadhar+card+application+form+download+pdf
    • http://files.triumvirateartists.com/uploads/1/3/2/7/132740214/8623413.pdf
    • http://files.missautoknow.com/uploads/1/3/2/6/132681976/zexukus.pdf
    • http://files.heartofillinoisorff.org/uploads/1/3/1/3/131379371/9586210.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/3046/3142/files/pajofomupogozekewibava.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/46496449222.pdf
    • https://cdn.shopify.com/s/files/1/0433/9249/9877/files/46838019873.pdf
    • https://cdn.shopify.com/s/files/1/0430/0485/4426/files/vediwemedux.pdf
    • https://cdn.shopify.com/s/files/1/0432/6955/4329/files/xoranaxamaxokevu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0350/1989/files/84592259603.pdf
    • https://cdn.shopify.com/s/files/1/0431/2409/7191/files/99598898870.pdf
    • https://cdn.shopify.com/s/files/1/0433/7342/8888/files/dukeworafexedisu.pdf
    • https://cdn.shopify.com/s/files/1/0433/3027/3435/files/76839932954.pdf
    • https://cdn.shopify.com/s/files/1/0428/0582/1599/files/24841781599.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e2a.bin
04fda66b027f1be785d32794ea5d9698762064c3a9937cdf619a664aa157f8f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E2A 5068 bytes
font_01_sfnt_off00007f3b.bin
e15181a3a05d5abc4e196914f8f817b70d17a81933b947b6ed5a58548a2ccd98		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F3B 9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.