Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f1037a1dfc516d8…

MALICIOUS

PDF

53.9 KB Created: 2020-08-22 16:01:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 100b69d256455642b488065be4d6f2c9 SHA-1: 7e68a2fb5c50cd9310d17ff626e4c799c05cc02c SHA-256: 2f1037a1dfc516d8b4ba03a48528c95e62ff1dd25805add201f4323569f7b7cf
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains numerous embedded links, including a critical redirector link to 'ttraff.com', suggesting a phishing or SEO poisoning attack. The document body, though partially corrupted, includes keywords like 'antimicrobial activity pdf 2017' and references to wkhtmltopdf, indicating an attempt to appear as legitimate research material. The presence of a large number of external PDF links, many hosted on Shopify, further supports the SEO poisoning lure. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=antimicrobial+activity+pdf+2017
    • http://files.chednunez.com/uploads/1/3/1/3/131384335/risomejewujoveweb.pdf
    • http://files.kreutingerpuppets.com/uploads/1/3/1/4/131483279/jareduzezipoborag.pdf
    • http://kibezixon.mzsacredhealing.com/uploads/1/3/1/4/131453872/5855726.pdf
    • http://files.someday-l.com/uploads/1/3/0/7/130738850/ba78a.pdf
    • https://cdn.shopify.com/s/files/1/0431/9870/9918/files/lupujorit.pdf
    • https://cdn.shopify.com/s/files/1/0433/9915/1768/files/nimadone.pdf
    • https://cdn.shopify.com/s/files/1/0431/4995/1140/files/wixixafabamegoges.pdf
    • https://cdn.shopify.com/s/files/1/0429/9853/0202/files/31550737770.pdf
    • https://cdn.shopify.com/s/files/1/0429/1022/0447/files/35981715551.pdf
    • https://cdn.shopify.com/s/files/1/0457/5831/6700/files/bohemian_rhapsody_piano_sheet_music_solo.pdf
    • https://cdn.shopify.com/s/files/1/0441/0490/8952/files/personality_adjectives_en_ingles_y_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0434/5203/9328/files/630087013.pdf
    • https://cdn.shopify.com/s/files/1/0431/5686/5173/files/14081357496.pdf
    • https://cdn.shopify.com/s/files/1/0430/6750/6841/files/90555458189.pdf
    • https://cdn.shopify.com/s/files/1/0434/7461/6472/files/industrial_wastewater_treatment_book.pdf
    • https://cdn.shopify.com/s/files/1/0428/7676/4327/files/bigas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000859d.bin
04a02e9b7cd91d73c2d5275c6454f0cc6f833e353392bbc2f3ae463183cf248e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x859D 5820 bytes
font_01_sfnt_off00009962.bin
c0b7a1f30140bae99ea2995e307076e987eb08c63af93b69b3824095ef4b6dfa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9962 15864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.