Malicious PDF — malware analysis report

Static analysis result for SHA-256 3493567153effdc8…

MALICIOUS

PDF

42.7 KB Created: 2020-08-21 14:05:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0da7d6736ee7ee68f22170c5af8d70d1 SHA-1: 1e00fb1f6dfe000674ecca40ee520e0c31ee16b7 SHA-256: 3493567153effdc8e1f4627fbfb1536a3bf87634ee64b9585cb8f4c634c07516
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded links, one of which points to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to 'Ptcb practice test and answers' and the malicious URL. This suggests a phishing or scam attempt to lure users to click the malicious link, likely to download further malware or lead them to a credential harvesting page.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ptcb+practice+test+and+answers
    • http://files.businesswritingmasters.com/uploads/1/3/0/9/130969389/2803208.pdf
    • https://cdn.shopify.com/s/files/1/0434/4715/6903/files/free_spreadsheet_software_for_android_tablet.pdf
    • https://cdn.shopify.com/s/files/1/0432/5575/9011/files/barbarian_diablo_3_build.pdf
    • https://cdn.shopify.com/s/files/1/0427/4041/6678/files/certification_of_origin_template.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3087/files/zozurefapufamizuj.pdf
    • https://cdn.shopify.com/s/files/1/0432/3033/1040/files/interviewer_checklist.pdf
    • https://cdn.shopify.com/s/files/1/0429/9961/1553/files/47649236301.pdf
    • https://cdn.shopify.com/s/files/1/0434/5266/1912/files/advanced_computer_architecture_book.pdf
    • https://cdn.shopify.com/s/files/1/0433/6638/3768/files/donosigedulonewobota.pdf
    • https://cdn.shopify.com/s/files/1/0437/2722/4986/files/0x3f_to_decimal.pdf
    • https://cdn.shopify.com/s/files/1/0431/7813/1611/files/72186864023.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006821.bin
0798f78eef06729244499a7e824a82303e6984c1e7709688e57560f6c5c743fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6821 5268 bytes
font_01_sfnt_off00007a1a.bin
6c7ce50324ec2cd5b8f8ebdedafa31a1d4b5deb2d8bfc45bd6105ebd42f6cbd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A1A 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.