Malicious PDF — malware analysis report

Static analysis result for SHA-256 152681c705795acb…

MALICIOUS

PDF

40.7 KB Created: 2020-08-14 08:06:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e0655ca72510f66d9ffbcb11201ef670 SHA-1: cb9e863ffe571b2d7b16e160eb3b6d002a90d600 SHA-256: 152681c705795acb4aadb99bc66b6f825a20d703f83b140bf1753fb13dd36cc4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged as malicious by a machine learning classifier and heuristics indicate it contains a link farm with a high number of external links, including one pointing to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains URLs that are likely part of this link farm. The primary malicious activity observed is the redirection to the URL https://ttraff.ru/pify?keyword=red+background+free, which is likely used for SEO spam or to lead users to phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=red+background+free
    • http://files.mgpsych.com/uploads/1/3/0/8/130814298/vijuniwedifedowa.pdf
    • http://pabovo.adkaromatherapy.com/uploads/1/3/1/3/131380480/1f0db5.pdf
    • http://files.deafcan.org/uploads/1/3/1/0/131070178/7985678.pdf
    • http://files.aikenveterinaryacupuncture.com/uploads/1/3/2/3/132303035/dutexex_sinopegenesoned_sonipori.pdf
    • http://files.hotspringswinery.com/uploads/1/3/2/7/132710797/855ba54e1d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://cdn.shopify.com/s/files/1/0432/3121/5774/files/80383957678.pdf
    • https://cdn.shopify.com/s/files/1/0437/6012/4065/files/mapa_mundi_atualizado_em.pdf
    • https://cdn.shopify.com/s/files/1/0444/5192/2087/files/articles_exercises_for_class_4.pdf
    • https://cdn.shopify.com/s/files/1/0439/1872/1192/files/zovevipatin.pdf
    • https://cdn.shopify.com/s/files/1/0427/3097/9495/files/austin_airport_arrival_information.pdf
    • https://cdn.shopify.com/s/files/1/0433/5989/5717/files/31055817747.pdf
    • https://cdn.shopify.com/s/files/1/0432/2682/4863/files/zepukosa.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/febipak.pdf
    • https://cdn.shopify.com/s/files/1/0430/0180/6997/files/fumemutimogezajapoge.pdf
    • https://cdn.shopify.com/s/files/1/0428/7463/4403/files/51495987169.pdf
    • https://cdn.shopify.com/s/files/1/0429/4233/3087/files/cpted_survey_template.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/83463419879.pdf
    • https://cdn.shopify.com/s/files/1/0430/5905/2706/files/74228507727.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f07.bin
49697da5b04de7f8d5362c2ec4220fafa83ae3486302fa1b0815a8b33693dc41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F07 5192 bytes
font_01_sfnt_off000060be.bin
44b177450476c416fcd18d665294b8a4dd80e6b28c93f11e70a9b4a3809fdc40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60BE 8268 bytes
font_02_sfnt_off0000775d.bin
93c7e0643317b4457d908ce69a09ec2107c1884eeec407221ef8801f47c8a39e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x775D 8884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.