Malicious PDF — malware analysis report

Static analysis result for SHA-256 124aa4343f4abf04…

MALICIOUS

PDF

56.4 KB Created: 2020-08-02 10:31:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 043a86154661299740943ab8d4830a4f SHA-1: 673f35e6aef6d4999f7539d137c0c0ee0c4c1be8 SHA-256: 124aa4343f4abf046ec7eaa0146e842c691b0b8024274e72a49e91daefebbd50
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, many pointing to external PDF files hosted on various domains, suggesting a link farm or SEO abuse tactic. One prominent URL, 'https://ttraff.ru/pify?keyword=precalculus+with+limits+a+graphing+approach', is flagged as a malicious redirector. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=precalculus+with+limits+a+graphing+approach
    • http://files.gsskids.org/uploads/1/3/0/8/130873973/korunavo.pdf
    • http://files.srinagarhouseboats.co.in/uploads/1/3/0/7/130738892/6cac82.pdf
    • http://files.yellowpixiedust.com/uploads/1/3/1/4/131452783/zejufanol.pdf
    • http://files.brewsterwhitecaps.com/uploads/1/3/0/7/130776168/a5eb161.pdf
    • http://files.cyclingadventures.net/uploads/1/3/2/6/132695689/sulexovabub_bubizelogu_mekodovi_pinuvawenun.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/37629755229.pdf
    • https://cdn.shopify.com/s/files/1/0428/1496/3868/files/74485384155.pdf
    • https://cdn.shopify.com/s/files/1/0430/8015/5290/files/tupoludur.pdf
    • https://cdn.shopify.com/s/files/1/0440/6142/5814/files/gepigikalezanode.pdf
    • https://cdn.shopify.com/s/files/1/0432/0054/4931/files/jarunepupab.pdf
    • https://cdn.shopify.com/s/files/1/0435/8701/0728/files/steam_client_bootstrapper.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/xaludanebiv.pdf
    • https://cdn.shopify.com/s/files/1/0429/5114/7679/files/84474756737.pdf
    • https://cdn.shopify.com/s/files/1/0434/1186/5751/files/www._craighls_list_detroit._com.pdf
    • https://cdn.shopify.com/s/files/1/0431/0263/4148/files/57637497037.pdf
    • https://cdn.shopify.com/s/files/1/0429/0933/5715/files/xusetimunufojubadutu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0472/3349/files/37831993523.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/74535711799.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zurutadodusabexefiba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000811e.bin
f915130e85f8317601695eff7f6518ef359ff463aaf57ba31450080f332998c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x811E 5440 bytes
font_01_sfnt_off00009387.bin
cce4cd3540597a312f104170b35a14f2b0fedac1767942457c64e0f8c79fa46b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9387 13564 bytes
font_02_sfnt_off0000be65.bin
6820151f9a4816bccc9e85e605aef44ce22c8924dfcccd161584754f275bf028		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE65 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.