Malicious PDF — malware analysis report

Static analysis result for SHA-256 16be5de65c2af684…

MALICIOUS

PDF

48.1 KB Created: 2020-08-08 10:42:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 24f8c022645621fba804c053c8ff3e6c SHA-1: a15d1ff1c41f223381bbc76e490817967022c15c SHA-256: 16be5de65c2af6846d35f2d8adc27749dd92388054388413cf663059e24f6a23
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to benign Shopify URLs, but also includes a critical link to a known malicious redirector at `https://ttraff.ru/pify?keyword=the+swan+cello+and+piano+sheet+music+pdf+free`. This suggests the document is part of an SEO spam or phishing campaign designed to redirect users to malicious infrastructure. No scripts were extracted, but the presence of numerous links and the malicious redirector strongly indicate a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=the+swan+cello+and+piano+sheet+music+pdf+free
    • http://files.3dretrievers.com/uploads/1/3/1/8/131856769/1867059.pdf
    • http://files.isaacchapple.com/uploads/1/3/0/9/130969768/xejojaxanaradir-tiduf.pdf
    • http://files.hillandstump.com/uploads/1/3/2/7/132740270/8730535.pdf
    • http://files.pochemuchka.com.au/uploads/1/3/1/6/131606092/91702ef6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/9240/1571/files/nejovepedegerogewil.pdf
    • https://cdn.shopify.com/s/files/1/0437/5724/0478/files/18803847572.pdf
    • https://cdn.shopify.com/s/files/1/0429/2778/4103/files/fogepuvuzudavulinebo.pdf
    • https://cdn.shopify.com/s/files/1/0438/1173/3664/files/200_top_electrical_engineering_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/6043/6896/files/vakasov.pdf
    • https://cdn.shopify.com/s/files/1/0431/9405/6861/files/nemapatogulapimego.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3854/files/duzefitatutokad.pdf
    • https://cdn.shopify.com/s/files/1/0428/5222/1091/files/43801365467.pdf
    • https://cdn.shopify.com/s/files/1/0437/4672/1946/files/fubumokakiriwetaseri.pdf
    • https://cdn.shopify.com/s/files/1/0435/2563/6248/files/45812894229.pdf
    • https://cdn.shopify.com/s/files/1/0433/9531/7918/files/49486412026.pdf
    • https://cdn.shopify.com/s/files/1/0429/7680/5023/files/51147253167.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000657a.bin
2ca29207dc3d728bd264d9c810203cd6afc058e207ceb4177a7fa1da85d4dde7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x657A 5436 bytes
font_01_sfnt_off000077dc.bin
ec3a72783be609fa6d6a59669106b7f3e61840bd09917d2935ac0c30933a80ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77DC 10600 bytes
font_02_sfnt_off00009bd4.bin
4360e29b7d2504916afe74d557016965ce00ddb6e9b1d1498b998f2d7a1046f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BD4 16184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.