Malicious PDF — malware analysis report

Static analysis result for SHA-256 27dd68333ce401cf…

MALICIOUS

PDF

49.9 KB Created: 2020-08-07 18:46:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 36b443a726ae30abeb2d8de4abbdea90 SHA-1: d42dee0762720d42dca0e866c2b4efc444f63d1a SHA-256: 27dd68333ce401cf8c5f56dee54bea08336e0b9c26eed832ba981940b897f9dd
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=al+quran+only+bangla+translation+pdf+free+download'. Another critical heuristic indicates a link farm structure, with 19 external PDF links, many hosted on cdn.shopify.com. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of malicious redirector links and a link farm suggests the primary intent is to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=al+quran+only+bangla+translation+pdf+free+download
    • http://files.blackpeakstudio.com/uploads/1/3/2/6/132695832/zigapu.pdf
    • http://files.midwestfarmandpet.com/uploads/1/3/1/4/131407761/1333403.pdf
    • http://files.selectatrackplayer.com/uploads/1/3/1/4/131438437/9d768467b27de.pdf
    • http://files.teacakeandgaming.com/uploads/1/3/0/9/130969887/lovuvokubeke.pdf
    • http://xumalek.son.10losttribes.com/uploads/1/3/2/6/132682327/natakube.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0234/files/bsc_courses_list_in_tamilnadu.pdf
    • https://cdn.shopify.com/s/files/1/0432/0778/6657/files/65741010943.pdf
    • https://cdn.shopify.com/s/files/1/0434/5525/0598/files/wulixoserevobatodebizasin.pdf
    • https://cdn.shopify.com/s/files/1/0435/0846/5828/files/rabojuwog.pdf
    • https://cdn.shopify.com/s/files/1/0428/4429/1228/files/carer_allowance_centrelink_form.pdf
    • https://cdn.shopify.com/s/files/1/0430/5692/2777/files/maxiwidarit.pdf
    • https://cdn.shopify.com/s/files/1/0437/6113/9861/files/xbox_controller_keys.pdf
    • https://cdn.shopify.com/s/files/1/0431/6620/4066/files/zuvugiw.pdf
    • https://cdn.shopify.com/s/files/1/0431/6738/3716/files/tesotovomeso.pdf
    • https://cdn.shopify.com/s/files/1/0431/8602/8708/files/present_perfect_for_since_just_already_yet.pdf
    • https://cdn.shopify.com/s/files/1/0433/6759/6184/files/kamenuvovuperiwabepomamus.pdf
    • https://cdn.shopify.com/s/files/1/0431/3825/2954/files/keleganojewapoxaxuwanip.pdf
    • https://cdn.shopify.com/s/files/1/0440/7522/1142/files/89851749900.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/34803766861.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061a5.bin
dd3bdb5e9d5c297ce5a099757a1e4859ebb33d9b613303a4cbc9dd109cb10a8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61A5 5660 bytes
font_01_sfnt_off00007505.bin
0ef5ff683ea3855fbce53a8b0978021cde904e5630b6d28a7d8723e4d2dc1f9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7505 10712 bytes
font_02_sfnt_off000095c0.bin
71fbb81ffa8cd1f505514f2328142b18ec344a4258cee0a3c67bb723f8d5ebb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95C0 9688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.