Malicious PDF — malware analysis report

Static analysis result for SHA-256 07f75620645854df…

MALICIOUS

PDF

45.7 KB Created: 2020-08-19 14:44:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: afa680b1cd9227508eda6fe656efdba0 SHA-1: 5bb5ca6367f8472feded0dff10a4448ddce6f017 SHA-256: 07f75620645854dfadc7c48dcfaf6d973dd891d4105f1a9b5ac365ddc68abfa9
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded links, with one specifically identified as a malicious redirector. The document body, though partially garbled, includes the URL 'https://ttraff.ru/pify?keyword=blandad+form+division', suggesting a lure to a link farm or malicious site. The presence of numerous external PDF links further supports the link farm heuristic, indicating an attempt to distribute malicious content or engage in SEO abuse.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=blandad+form+division
    • http://files.zacharyleophoto.com/uploads/1/3/1/3/131381612/4638294.pdf
    • http://xabob.antoniacundy.com/uploads/1/3/2/6/132695219/zemimonofeba.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tovovowegafakaroseras.pdf
    • https://cdn.shopify.com/s/files/1/0435/9539/9325/files/psl_full_form_in_electricity_bill.pdf
    • https://cdn.shopify.com/s/files/1/0431/7003/7911/files/punutinafa.pdf
    • https://cdn.shopify.com/s/files/1/0437/0399/2474/files/47562936923.pdf
    • https://cdn.shopify.com/s/files/1/0451/2638/5829/files/63021985855.pdf
    • https://cdn.shopify.com/s/files/1/0432/2318/7616/files/adepta_sororitas_codex_8th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0444/1748/2919/files/4941507936.pdf
    • https://cdn.shopify.com/s/files/1/0430/6573/7370/files/bizuvegazexugotudujewusit.pdf
    • https://cdn.shopify.com/s/files/1/0427/8393/2582/files/83301608664.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000558a.bin
0dee2a11eaddd24930010f3d3dca3d9d2b707d81562e8d3afef7af8e43414fdc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x558A 5164 bytes
font_01_sfnt_off00006706.bin
63d7334e5ebcbbb52ff5358772b64f1915539298e79704ad11d478516a9e546c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6706 14600 bytes
font_02_sfnt_off00009592.bin
75fb5eda6c80430b94b20cb0daa906e0e98a9f633c3ecfcf71c743d7414a59fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9592 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.