Malicious PDF — malware analysis report

Static analysis result for SHA-256 09170f03445905a9…

MALICIOUS

PDF

526.9 KB Created: 2020-08-08 13:49:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a2c63d9cdfdf6d17d6b54955b9064c0 SHA-1: 52802ae6a0b18248e1bc82c164d79e1f395cb529 SHA-256: 09170f03445905a945e80afbbeeeb33aee0597e2dc6f5e6fccf4177150ace5a4
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, ttraff.ru, which is likely used to lure victims into downloading further malware or phishing for credentials. The document body, though heavily obfuscated, contains the same URL, suggesting it is the primary mechanism for the attack. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8801

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=hunger+games+mockingjay+part+2+script+pdf
    • http://files.hillcountryyoungmarines.com/uploads/1/3/0/8/130814397/xuletomuta-mabuworum-xawotirizotip-tegomezo.pdf
    • http://sokonowib.genachastain.com/uploads/1/3/2/7/132710712/zufupezokor.pdf
    • http://files.palmerdavidart.com/uploads/1/3/1/8/131856646/843985ba0b1ed.pdf
    • http://files.controlcompcostsnow.com/uploads/1/3/0/8/130813860/mepesidasugevovonuja.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0437/0314/0517/files/nanotechnology_in_cancer_treatment.pdf
    • https://cdn.shopify.com/s/files/1/0435/2373/5720/files/54811894233.pdf
    • https://cdn.shopify.com/s/files/1/0430/4168/5665/files/sirodurilozefoxexu.pdf
    • https://cdn.shopify.com/s/files/1/0431/9812/0096/files/39356918514.pdf
    • https://cdn.shopify.com/s/files/1/0431/5627/5360/files/71230495509.pdf
    • https://cdn.shopify.com/s/files/1/0448/4923/4081/files/how_to_make_size_smaller_illustrator.pdf
    • https://cdn.shopify.com/s/files/1/0438/0871/9005/files/tikitu.pdf
    • https://cdn.shopify.com/s/files/1/0431/5732/3933/files/senoda.pdf
    • https://cdn.shopify.com/s/files/1/0435/3851/4071/files/quiste_de_segundo_arco_branquial.pdf
    • https://cdn.shopify.com/s/files/1/0431/0938/4345/files/10803983480.pdf
    • https://cdn.shopify.com/s/files/1/0429/6422/2101/files/70914445688.pdf
    • https://cdn.shopify.com/s/files/1/0431/0820/4704/files/92592129567.pdf
    • https://cdn.shopify.com/s/files/1/0428/9491/7799/files/69808446039.pdf
    • https://cdn.shopify.com/s/files/1/0446/0986/3843/files/john_deere_1445.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0007b4ad.bin
2738efedbbefe71f0e05f5944c5da990f3a1082ce001b28c602c8d6399941361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B4AD 5660 bytes
font_01_sfnt_off0007c7ee.bin
b2e5a8f48f87ffccc9596ef8a9bf29a54ac142eaa187f83c7929b47c2966d78d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C7EE 19768 bytes
font_02_sfnt_off00080366.bin
f86a3cf928c99ddcaf9dbd6bb719b73eced0bd2239fdb2efc073c3eb4921aaf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80366 16464 bytes
font_03_sfnt_off0008198e.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8198E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.