Malicious PDF — malware analysis report

Static analysis result for SHA-256 222648d7208d1276…

MALICIOUS

PDF

98.0 KB Created: 2020-08-29 13:55:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f961c6ca183272a5445244d07e9f288d SHA-1: 3d096b2bd91f7796662b4e384306058cdd40fe4f SHA-256: 222648d7208d1276d634be9bf590ff9cfeace5418e625b1943ea999dc3edb33d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, directing users to a URL associated with malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious. The embedded URL is part of a link farm, likely for SEO poisoning to attract users searching for specific content like movie subtitles. The primary malicious URL is https://ttraff.cc/wix?keyword=the+babadook+%25282014%2529+sinhala+subtitles, which is designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9919

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=the+babadook+%25282014%2529+sinhala+subtitles
    • https://cdn.shopify.com/s/files/1/0435/8724/0093/files/sadudenavavutafum.pdf
    • https://cdn.shopify.com/s/files/1/0428/9419/6902/files/80154575775.pdf
    • https://cdn.shopify.com/s/files/1/0432/5657/8212/files/40204749512.pdf
    • https://cdn.shopify.com/s/files/1/0430/4856/6941/files/cours_d_anthropologie_sociale_et_culturelle.pdf
    • https://cdn.shopify.com/s/files/1/0437/4475/5866/files/new_bollywood_full_movies_2018_hdfriday.pdf
    • https://static.usrfiles.com/ugd/b8c837_a4a378839d60410eb8dbaa4adbe5138b.pdf
    • https://static.usrfiles.com/ugd/c7ef1a_b89e5d3e4e1d4d7a855628b33e9e287e.pdf
    • https://static.usrfiles.com/ugd/b8c837_06d56adb15d54897b784d48dbdd6e531.pdf
    • https://cdn.shopify.com/s/files/1/0432/5765/9547/files/20153015346.pdf
    • https://cdn.shopify.com/s/files/1/0431/6410/6901/files/11907773862.pdf
    • https://cdn.shopify.com/s/files/1/0436/0686/8131/files/57658036075.pdf
    • https://cdn.shopify.com/s/files/1/0444/0260/6246/files/abstract_example_for_research_paper.pdf
    • https://cdn.shopify.com/s/files/1/0429/8014/7359/files/13024274885.pdf
    • https://cdn.shopify.com/s/files/1/0434/2883/9581/files/jetivafilezezuvebovexux.pdf
    • https://cdn.shopify.com/s/files/1/0432/6568/7717/files/3259868017.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_016_off00014599.bin
41106fe9a07ceeb1833557e0ab2cfbd1aaa01bb8b874b05d5e7cc5f1a8674fa4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14599 18892 bytes
font_00_sfnt_off000054f8.bin
e59037b55eb65fa6455cf1c6287e33a9d16be46809afb7af2e33fa14b570a7d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54F8 7916 bytes
font_01_sfnt_off00006958.bin
1d890cbc49c86b194b6bea92bfd272c23f59aa3734dae7befebffe896f6f634c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6958 4032 bytes
font_02_sfnt_off000077c8.bin
7ea819af0994abd39896ee896cbe4874439d4cc043319d04553e1a96ea1eb185		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77C8 5536 bytes
font_03_sfnt_off00008aa6.bin
dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AA6 2656 bytes
font_04_sfnt_off000095a8.bin
119132d4d86df12b64aacef50f1aeac69cc60fdd8dbe27b6e2ceb22654f0acbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95A8 4140 bytes
font_05_sfnt_off0000a2c5.bin
1b68eb0745f369bd9f805b89718582bd6ebaf917deeaaae5095027b3f32dc7b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2C5 3048 bytes
font_06_sfnt_off0000aed2.bin
c42118b51b061dffbc196cd4866a2cf76d9f31ae9d0a8f6c06e6ad224a677b24		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAED2 2328 bytes
font_07_sfnt_off0000b989.bin
d07a9fdf75b1e191e7a1ea25e2941b9f689ff98e7e435169aef8b5fb7be41b17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB989 2604 bytes
font_08_sfnt_off0000c462.bin
539cdcd3431b5dcf0d965db13bf1862ecbed36403e990344ef22ea2408619689		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC462 15520 bytes
font_09_sfnt_off0000ece8.bin
806d12f4c18e044784d20764d58024893796e88f204c306662924b3e907cbcac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECE8 2108 bytes
font_10_sfnt_off0000f6c5.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6C5 4336 bytes
font_11_sfnt_off00010465.bin
be38186c9256ba0e64b07d34cca2e63b176d3ffd182ae4667a642b503e748fe0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10465 6148 bytes
font_12_sfnt_off0001144f.bin
fbae1dce8c4f18a6c81a524b56c19a17ec8a94c222e8f53893793f88c8af1ff3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1144F 15964 bytes
font_14_sfnt_off000164f5.bin
ecf51c2dbb9281b20c5dc3daf9ad1c9b9cc7ec56331f29427b924fb34bf6c063		 pdf-font-stream PDF embedded font (sfnt) at offset 0x164F5 3536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.