Malicious PDF — malware analysis report

Static analysis result for SHA-256 2679824a88d7327a…

MALICIOUS

PDF

37.5 KB Created: 2020-09-02 13:17:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3976a42e90c3b10fdd35d9b453b5ec83 SHA-1: d40f42b95f9e8cf329741ac79b428b1a344b1675 SHA-256: 2679824a88d7327a02bd99d123e2a7f2dbfd2ecfe2a7d03fef264e38adcb2a41
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded links that point to a known malicious redirector infrastructure, specifically 'https://ttraff.cc/pify?keyword=bjp+logo+image'. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to disguise malicious content as a 'bjp logo image'. The presence of a large number of external PDF links, many pointing to static.usrfiles.com, indicates a link farm strategy, likely to obscure the ultimate malicious destination. No scripts were extracted, and the PDF structure itself is the primary vector for the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bjp+logo+image
    • https://static.usrfiles.com/ugd/270e53_1e766f7949d44cd4a1a9eae3b456a1ec.pdf
    • https://static.usrfiles.com/ugd/1be480_799353fbaa6140d69a0a5ff3b4023940.pdf
    • https://static.usrfiles.com/ugd/24853a_76f46a44d6794d619bb067ce9308f271.pdf
    • https://static.usrfiles.com/ugd/07ef24_4b88cd6e1afd412191c520918e4b3ed2.pdf
    • https://static.usrfiles.com/ugd/22739b_823a5949cce54020afb378ea98e58885.pdf
    • https://static.usrfiles.com/ugd/b8c837_6aae4917859e4932aac2d8b100caaea6.pdf
    • https://static.usrfiles.com/ugd/10e3af_a1773b22fb0b409790882a73a42c2d74.pdf
    • https://static.usrfiles.com/ugd/b8c837_839798b4cd984c068e33bf5e1ff58a84.pdf
    • https://static.usrfiles.com/ugd/b8c837_da597b5dc8d14027ba045ec08f63c16b.pdf
    • https://static.usrfiles.com/ugd/e2c250_93ab2da9c6bb4d5f8c6b82c0541b4385.pdf
    • https://static.usrfiles.com/ugd/3e9e83_e569ff7149ff4f5d87de5c48c343629d.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_adeb161f14054ec0914a6a2c1c24ec46.pdf
    • https://static.usrfiles.com/ugd/b8c837_598d6818cebb42b9a47e2967aa1b1525.pdf
    • https://static.usrfiles.com/ugd/b48b60_ad757e42d3514609a882c7caa57b549a.pdf
    • https://static.usrfiles.com/ugd/defdb4_7f402b674ec84103bf9129910748222a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000486b.bin
3a1d37a1bad1f32128fd45df37ed4e235c7a4c6324f384293179708f96e449b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x486B 4148 bytes
font_01_sfnt_off00005705.bin
a0b6f29aba6959023799c6bee251f43d94d58651871576ab9f87355516f2466d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5705 4992 bytes
font_02_sfnt_off000067f5.bin
2a6ea1cc64a65373c3f01d58e277df81858ab5dd02664eaadf89e9bc7847ff50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67F5 9660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.