Malicious PDF — malware analysis report

Static analysis result for SHA-256 04a1a4377009261d…

MALICIOUS

PDF

47.5 KB Created: 2020-07-31 15:08:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c970af7f8b14dc38984de023fca95b71 SHA-1: f774233db88a730db6e886d46a8e9923e50bcae9 SHA-256: 04a1a4377009261d29c3c579047dfb691cc67d9e44d08373f73ab3b4b589e9d2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, many pointing to what appears to be a link farm designed to mimic search results for academic papers. One prominent URL, https://ttraff.ru/pify?keyword=core+concepts+of+accounting+information+systems+pdf, is flagged as a malicious redirector. The ML classifier also strongly indicated maliciousness. While no scripts were extracted, the structure and the malicious URL suggest an attempt to redirect users to a harmful site, likely for phishing or scam purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=core+concepts+of+accounting+information+systems+pdf
    • http://files.flying20spi.org/uploads/1/3/1/0/131071037/rodilalufenukodepafa.pdf
    • http://files.trianglechamberacademy.com/uploads/1/3/1/4/131438313/2538141.pdf
    • http://files.mysmileprogram.com/uploads/1/3/0/9/130969772/91f876b71.pdf
    • http://files.italiancitizenshiptranslator.com/uploads/1/3/1/3/131381881/fapalinatemi-rokotukin-doluripat.pdf
    • http://files.thespringschurch.net/uploads/1/3/1/6/131606165/1729119.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/9870/9918/files/96025398650.pdf
    • https://cdn.shopify.com/s/files/1/0434/6878/3768/files/wudosakajajibisenofegewal.pdf
    • https://cdn.shopify.com/s/files/1/0428/0880/3495/files/68347944504.pdf
    • https://cdn.shopify.com/s/files/1/0428/7217/6796/files/tulizozalenuximer.pdf
    • https://cdn.shopify.com/s/files/1/0435/9897/1038/files/74156064234.pdf
    • https://cdn.shopify.com/s/files/1/0433/4895/1194/files/58702218961.pdf
    • https://cdn.shopify.com/s/files/1/0432/3658/9730/files/viraveturar.pdf
    • https://cdn.shopify.com/s/files/1/0432/0234/7168/files/98550070328.pdf
    • https://cdn.shopify.com/s/files/1/0432/4891/0491/files/82442514466.pdf
    • https://cdn.shopify.com/s/files/1/0433/6012/5080/files/bopojudipasewatowekad.pdf
    • https://cdn.shopify.com/s/files/1/0427/4218/6150/files/sojujosesasidixoxunozi.pdf
    • https://cdn.shopify.com/s/files/1/0432/2020/5726/files/sufisobubibulajonobamif.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007990.bin
cf6d7e2bd0f39238854082179d646ec345a0a4f73c844421ccd8e7b7fdcc1467		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7990 5448 bytes
font_01_sfnt_off00008c05.bin
6f7864c336c4562ae863f8b999425f19670b5edc14a10fb6ec4cc9e92d4e1ec1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C05 10104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.