Malicious PDF — malware analysis report

Static analysis result for SHA-256 09d37c90ab0702f7…

MALICIOUS

PDF

43.6 KB Created: 2020-08-17 14:58:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a76f8913ac90cc7c4d3668737ba65310 SHA-1: 21b52864d6ed4bfc1ebfe86f6673e1b4661fc884 SHA-256: 09d37c90ab0702f736d2e188ecc669d2d63ae7a8dddc7517dfc278e02d84bbac
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, a technique often used for SEO poisoning or to obscure malicious redirects. One critical heuristic identified a link to known malicious redirector infrastructure at 'ttraff.ru'. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the intent to redirect users. No scripts were extracted, and the primary malicious activity appears to be link manipulation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=birthday+wishes+tamil+whatsapp+status
    • http://files.radmtfitness.com/uploads/1/3/1/1/131164479/lajixexofutat-pinudefosis.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0430/9850/5377/files/videjowaruwetisemodejoke.pdf
    • https://cdn.shopify.com/s/files/1/0428/6716/3302/files/dasikinexutevodu.pdf
    • https://cdn.shopify.com/s/files/1/0440/7833/4117/files/42936894830.pdf
    • https://cdn.shopify.com/s/files/1/0447/6711/7463/files/reddy_and_reddy_agronomy_book_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/5117/9423/files/17410709575.pdf
    • https://cdn.shopify.com/s/files/1/0439/1829/5195/files/gededixigikezuxemob.pdf
    • https://cdn.shopify.com/s/files/1/0432/7214/3001/files/33505410572.pdf
    • https://cdn.shopify.com/s/files/1/0430/3942/4669/files/55978153901.pdf
    • https://cdn.shopify.com/s/files/1/0434/2326/9014/files/41245178358.pdf
    • https://cdn.shopify.com/s/files/1/0434/3398/4161/files/malayala_manorama_calendar_2020_september.pdf
    • https://cdn.shopify.com/s/files/1/0433/2083/6254/files/jekegabakadarinebu.pdf
    • https://cdn.shopify.com/s/files/1/0432/0637/7632/files/adding_dissimilar_fractions_worksheets_grade_4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a0d.bin
83b2902c73d7592f791cb35047530e81bfec2ba5f16345f15cdb7b04c41ab99c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A0D 5444 bytes
font_01_sfnt_off00005c7d.bin
d0c9e33916e9e64e42e31bcf0d345f6c2fcd41735b1a34df0119bd0eb1094281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C7D 3720 bytes
font_02_sfnt_off000067e0.bin
e8090389592638dc0aee39976a8eef71138da7f249a62360ccf3acccb2db34b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67E0 9692 bytes
font_03_sfnt_off00008946.bin
42fb12002fb63406534afb20b7cb8b953f3be5aaf82bb5def531e57f72533e60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8946 7040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.