Malicious PDF — malware analysis report

Static analysis result for SHA-256 155753f4caa61d6a…

MALICIOUS

PDF

50.3 KB Created: 2020-08-26 21:39:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c05835477d17bf92f106ceeec0daf74b SHA-1: f917572720a7d449c935a43ce48eca8f0a190788 SHA-256: 155753f4caa61d6a0d18698e151c03e7130879496f91b1048b92daab413d5480
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm or SEO manipulation tactic. One critical heuristic identified a link to known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=himalaya+ayurvedic+medicine+list+pdf'. The document body, though heavily obfuscated, contains text related to 'Himalaya ayurvedic medicine list pdf', reinforcing the lure. The presence of embedded URLs and the ML classifier's high confidence score indicate malicious intent, likely to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=himalaya+ayurvedic+medicine+list+pdf
    • http://budaj.firstbaptistfta.org/uploads/1/3/1/4/131406430/zesimekimegibo.pdf
    • http://zifaguki.tajaddodorthodontics.com/uploads/1/3/2/8/132815002/03cb82d1b7e26.pdf
    • http://jodivi.nicolejonestroy.com/uploads/1/3/0/8/130813490/ecf9faee45c8ce.pdf
    • http://nupovi.allendaleunionchapel.com/uploads/1/3/1/3/131384306/lazodenop-betuxivesemosax.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/4652/6361/files/bukonubidavisukulozifoji.pdf
    • https://cdn.shopify.com/s/files/1/0432/0660/7012/files/gamuvevipawubibamexezeda.pdf
    • https://cdn.shopify.com/s/files/1/0433/7316/6744/files/41064342629.pdf
    • https://cdn.shopify.com/s/files/1/0432/0159/3502/files/business_administration_thesis.pdf
    • https://cdn.shopify.com/s/files/1/0438/2480/8096/files/95391104332.pdf
    • https://cdn.shopify.com/s/files/1/0431/8691/3439/files/54780639352.pdf
    • https://cdn.shopify.com/s/files/1/0433/0792/5654/files/bartter_syndrome.pdf
    • https://cdn.shopify.com/s/files/1/0427/4136/6951/files/71571290093.pdf
    • https://cdn.shopify.com/s/files/1/0445/9154/6532/files/angielski_b2_ksika.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e5f.bin
6700f978206b05170dced5f96fcfbcfdce7ce97fc85ec7d0fccd3c3b82c72ded		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E5F 5424 bytes
font_01_sfnt_off000080b9.bin
7ca698a01c05a00ce8f792c668a1549b02cad9e188b682bd678901f1b5c8b11f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80B9 10412 bytes
font_02_sfnt_off0000a494.bin
e296a61d2d303e35be9e1a35631556663d2780498efa7e8f3867bf557f172fe6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA494 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.