Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c5e882556c64fb8…

MALICIOUS

PDF

75.2 KB Created: 2020-08-06 18:52:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f8a3f6f855e0447750dc6b9041484745 SHA-1: d3d83fcfef99aac9599e41d7b664804cf54a5880 SHA-256: 1c5e882556c64fb81c7ce71963554b450d366bce4988560d6f1dbabdbd0332ec
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. The document body also contains this URL, suggesting the intent is to trick the user into clicking it. The link is presented as a download for 'digital logic gates and flip flops pdf'. The PDF also contains a large number of external links, many hosted on Shopify, which is indicative of a link farm used for SEO poisoning or to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=digital+logic+gates+and+flip+flops+pdf
    • http://files.jamestownearlylearningcenter.org/uploads/1/3/1/4/131438038/8cb2e6e.pdf
    • http://files.mymobilervservice.com/uploads/1/3/0/8/130874582/sopeva.pdf
    • http://katojuwe.betanuchapter.com/uploads/1/3/1/6/131636948/a0e9d924.pdf
    • http://files.wyaskwellness.com/uploads/1/3/1/4/131408432/c59f80.pdf
    • http://files.simplydivinesuds.com/uploads/1/3/1/4/131407812/23f3d849.pdf
    • https://cdn.shopify.com/s/files/1/0431/7242/9980/files/voruxezumonakugasitin.pdf
    • https://cdn.shopify.com/s/files/1/0431/0443/6390/files/49623144299.pdf
    • https://cdn.shopify.com/s/files/1/0438/2192/4514/files/arduino_programming_tutorial_from_tutorialspoint.pdf
    • https://cdn.shopify.com/s/files/1/0432/2826/6654/files/config_sendmail_ubuntu.pdf
    • https://cdn.shopify.com/s/files/1/0435/9720/1576/files/83823069435.pdf
    • https://cdn.shopify.com/s/files/1/0430/8713/4882/files/arabic_language_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/9520/3745/files/54719181414.pdf
    • https://cdn.shopify.com/s/files/1/0437/4616/4897/files/tibupiterenukejulet.pdf
    • https://cdn.shopify.com/s/files/1/0428/5261/4311/files/sokexaxuvurekurifezowelu.pdf
    • https://cdn.shopify.com/s/files/1/0437/1703/4134/files/96721276971.pdf
    • https://cdn.shopify.com/s/files/1/0429/3751/6191/files/business_report_writing_examples.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c9dd.bin
c4b034bb737408d1637a6122b9fd204053cc512769dc0290ce20ec17ad5d18d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9DD 5228 bytes
font_01_sfnt_off0000dbc8.bin
dd5568e5b505b5800f6dd9da7a44bc2548e11e4de51c0f31741ac56ee5ce0c66		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDBC8 13708 bytes
font_02_sfnt_off000107fe.bin
8596d51a523124fcb1950bb0b7033b1d9054ead7d937a3136e05175fcc3fb7d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107FE 16272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.