Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a3b9317120561fa…

MALICIOUS

PDF

43.8 KB Created: 2020-08-25 15:30:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d29fe172d55398686da8bf0c4cf0551a SHA-1: a7060e2336bc57873174462edcf7855596731191 SHA-256: 1a3b9317120561fa2c6d0832ee0be6f6d2a275fd02419409b5575f37f8b5dde8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm with multiple embedded URLs, including one pointing to known malicious redirector infrastructure at https://ttraff.ru/pify?keyword=agenda+diaria+2018+pdf+para+imprimir. The ML classifier strongly indicated maliciousness. The document body, though partially corrupted, contains text related to 'Agenda diaria 2018 pdf para imprimir' and the malicious URL, suggesting a lure to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=agenda+diaria+2018+pdf+para+imprimir
    • http://files.parlapianostudio.com/uploads/1/3/0/7/130775387/2668477.pdf
    • http://rigeb.davidkellypoetry.com/uploads/1/3/1/6/131636725/4f6bbdfdcb.pdf
    • https://cdn.shopify.com/s/files/1/0440/2269/4046/files/proper_barbell_overhead_press_form.pdf
    • https://cdn.shopify.com/s/files/1/0435/0086/3643/files/18397712671.pdf
    • https://cdn.shopify.com/s/files/1/0431/0152/0029/files/xebod.pdf
    • https://cdn.shopify.com/s/files/1/0428/1715/9335/files/11812511376.pdf
    • https://cdn.shopify.com/s/files/1/0429/0763/1779/files/29400715726.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/viborovikumowenaben.pdf
    • https://cdn.shopify.com/s/files/1/0436/6820/9814/files/engineering_company_profile_template.pdf
    • https://cdn.shopify.com/s/files/1/0436/5513/5390/files/nopajexagurewabipanol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006726.bin
a0a89957c0ab584e70c83c40c5ae912ad10bc4fad0166e3b5eb3c02e62882701		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6726 5660 bytes
font_01_sfnt_off00007a57.bin
e102632b1dcc4b376af698d2185380ec1172d22fc1fe7d6cfb139ab30df939fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A57 12008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.