Malicious PDF — malware analysis report

Static analysis result for SHA-256 207df65dbdce501c…

MALICIOUS

PDF

66.0 KB Created: 2020-08-07 15:17:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dbe338b989b1d0895160b46b5c468613 SHA-1: eb9574c734b17a6cf6d94a7873836df3c2c86905 SHA-256: 207df65dbdce501c2addeadee83b6be1d1dc2265bbd60824cc16a57fb52cd147
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links, including a critical redirector link to 'ttraff.com', disguised as a Bible download. This indicates a phishing or malware distribution attempt. The ML classifier strongly supports the malicious verdict. No scripts were extracted, but the primary attack vector is the malicious redirection embedded within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=download+holy+bible+in+amharic+pdf
    • http://files.azacspta.org/uploads/1/3/1/8/131872238/tememil_xuzupesomomowi_bazip.pdf
    • http://files.cannononlinemarketing.com/uploads/1/3/0/7/130739264/7520676.pdf
    • http://files.sallysweetland.com/uploads/1/3/1/4/131438249/e377953a8cde1ef.pdf
    • http://files.courseswales.com/uploads/1/3/0/7/130739234/nuwivupene-nadobetonare-wogan-torebiz.pdf
    • http://files.northernsoulcostablanca.com/uploads/1/3/1/8/131856992/8177457.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/3183641906.pdf
    • https://cdn.shopify.com/s/files/1/0428/9291/8937/files/popibamotupo.pdf
    • https://cdn.shopify.com/s/files/1/0440/3098/4357/files/konisusu.pdf
    • https://cdn.shopify.com/s/files/1/0429/1044/9830/files/44884346448.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/norojakibi.pdf
    • https://cdn.shopify.com/s/files/1/0434/5685/6230/files/1663769562.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wudivilijekeroleve.pdf
    • https://cdn.shopify.com/s/files/1/0438/4145/4240/files/13774007900.pdf
    • https://cdn.shopify.com/s/files/1/0431/5149/1233/files/73271589299.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000665a.bin
f95661098fac4922c7cf94072ae7d983d88ed4bd66890c195720d7cee76a97bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x665A 24432 bytes
font_01_sfnt_off0000a73e.bin
2db53455eb2103ca468b94eccda5a59b714907aa1855e7a90dbda3ce69a33701		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA73E 5552 bytes
font_02_sfnt_off0000ba02.bin
b44234b99998f6faa0297193f745ab57bbfde2d736c89d064edb68d8857b7b3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA02 1772 bytes
font_03_sfnt_off0000c27b.bin
5d1f5ce7118b8c369f720b9670b7fcd3fb1652fc5431baf2ba8472c4191a242e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC27B 9864 bytes
font_04_sfnt_off0000e491.bin
147421627389a3bb5e3784c20c6f8f48cfc40ff904a7fff8d4d10779bfa690ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE491 16224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.