Malicious PDF — malware analysis report

Static analysis result for SHA-256 10f44397d83eed51…

MALICIOUS

PDF

59.0 KB Created: 2020-08-02 11:21:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8c3c540058285762cecb040defdeeba2 SHA-1: ba42132d1924ca4b9ec38f6ad29d5c68be9a89cf SHA-256: 10f44397d83eed51d0c6e8383fadaad18c3ab087500505df606de7d3060a3f84
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a significant number of embedded links, many of which point to external resources. One critical heuristic indicates that the PDF links to known malicious redirector infrastructure, specifically 'ttraff.ru'. The document body, though partially obfuscated, contains text related to 'Ubuntu boot partition full' and includes the malicious URL, suggesting a lure to a potentially harmful site. The presence of numerous Shopify-hosted PDF links, while some are benign, contributes to a link farm strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ubuntu+boot+partition+full
    • http://files.vanesanieri.com/uploads/1/3/1/3/131378921/b3615de15.pdf
    • http://files.learninginafterschool.org/uploads/1/3/1/4/131410870/94ee1b.pdf
    • http://files.adventurewithdiabetes.com/uploads/1/3/0/9/130969855/toxozovafadanirekope.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0437/8660/0609/files/mimexutopezevusij.pdf
    • https://cdn.shopify.com/s/files/1/0432/4563/3691/files/guwuferajawidenelez.pdf
    • https://cdn.shopify.com/s/files/1/0432/7918/8118/files/62791780219.pdf
    • https://cdn.shopify.com/s/files/1/0431/7757/4551/files/7515533387.pdf
    • https://cdn.shopify.com/s/files/1/0436/2017/1936/files/goluvu.pdf
    • https://cdn.shopify.com/s/files/1/0433/4603/4846/files/i_see_the_light_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0432/0516/5216/files/fusukowirojukonekod.pdf
    • https://cdn.shopify.com/s/files/1/0440/4009/3846/files/bronze_tube_vanilla.pdf
    • https://cdn.shopify.com/s/files/1/0431/8003/2160/files/nanabukofisamutoniginu.pdf
    • https://cdn.shopify.com/s/files/1/0429/6353/3977/files/kikojiletinaz.pdf
    • https://cdn.shopify.com/s/files/1/0440/9671/6952/files/jejotofobiruferovefu.pdf
    • https://cdn.shopify.com/s/files/1/0440/7335/3381/files/voxaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/7373/2768/files/vegebamemike.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d9e.bin
b0094e9abb7fe27972faf6efaf2a00018fcef2f9a2ef1867b44f4a012f12f853		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D9E 4848 bytes
font_01_sfnt_off00008e26.bin
6d2b430af3b20c3eb7b9cdbe4fe23f1ecf8e8f4cdb433abe44bf193babafd90f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E26 2012 bytes
font_02_sfnt_off00009782.bin
fbb83253ecb97697235bfd584ee13264f4ef37ae24e18cc0487f5dd543576079		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9782 14588 bytes
font_03_sfnt_off0000c608.bin
c8ef3cc8a82a0c5ddc4d22feb1f9ceeba2dfc55397efe270e905bc1b2b04e141		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC608 17072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.