Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d09f09ae6cdba5c…

MALICIOUS

PDF

45.4 KB Created: 2020-08-10 23:12:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d857350f49153dda3b3e5a815d754ff6 SHA-1: b4d4f2874144b66b0daa0c9710a0d27f6c2b617a SHA-256: 1d09f09ae6cdba5c373572a05c2812cd842c2c0cb8a4f368e1186e0bdff77e34
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing indicating a link to known malicious redirector infrastructure at https://ttraff.com/pify?keyword=bisectriz+mediatriz+mediana+y+altura+pdf. Another critical heuristic identified a large number of external PDF links, suggesting a link farm or SEO poisoning attempt. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack vector appears to be social engineering via malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bisectriz+mediatriz+mediana+y+altura+pdf
    • http://files.floydsforkdems.com/uploads/1/3/1/4/131408280/2cfc4b8a4.pdf
    • http://files.etopp13.org/uploads/1/3/0/7/130775106/galupuletuf-rigirabusubene-resasur.pdf
    • http://files.bradvanambergrealestate.com/uploads/1/3/2/6/132681513/sopiwe.pdf
    • https://cdn.shopify.com/s/files/1/0436/7453/4041/files/piano_songs_pop.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pujar.pdf
    • https://cdn.shopify.com/s/files/1/0435/0499/2421/files/57129214372.pdf
    • https://cdn.shopify.com/s/files/1/0437/5340/6618/files/50832056282.pdf
    • https://cdn.shopify.com/s/files/1/0433/6546/6270/files/texas_jurisprudence_study_guide.pdf
    • https://cdn.shopify.com/s/files/1/0434/1052/2268/files/vevifodarajo.pdf
    • https://cdn.shopify.com/s/files/1/0429/6219/0499/files/3777982664.pdf
    • https://cdn.shopify.com/s/files/1/0432/3170/7294/files/a_room_of_one_s_own_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/4677/2629/files/gidudegugowufisosi.pdf
    • https://cdn.shopify.com/s/files/1/0430/3002/0247/files/25087237819.pdf
    • https://cdn.shopify.com/s/files/1/0431/5774/9917/files/tizopajiv.pdf
    • https://cdn.shopify.com/s/files/1/0438/7527/0811/files/fisiopatologia_del_sindrome_anemico.pdf
    • https://cdn.shopify.com/s/files/1/0438/2756/0598/files/62642416674.pdf
    • https://cdn.shopify.com/s/files/1/0435/8694/5187/files/nebipa.pdf
    • https://cdn.shopify.com/s/files/1/0435/5139/1907/files/pasukatevolerijajog.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059d6.bin
899f62071ff1fff49553b795c9cf586047ce16e0a12600f4bc8f395d0ba2388a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59D6 5500 bytes
font_01_sfnt_off00006c83.bin
94d9cf276f10df1bf3f9ddee741c758af4209109bddfd1e704ba8c28fa390196		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C83 11400 bytes
font_02_sfnt_off000091e0.bin
7167acb2ec3b2093263c7f75c7b5a6e6e939286f80af06bffea75e84f32888df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91E0 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.