Malicious PDF — malware analysis report

Static analysis result for SHA-256 35e9464442f6396d…

MALICIOUS

PDF

346.6 KB Created: 2020-09-11 19:17:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 148700230751bab892228145c9d9d77e SHA-1: 53faf26fc4867ef0eb22bee784606391d4f539fe SHA-256: 35e9464442f6396d8e0e1774a3cd2311153ef459a57ef660d52c8f82b796c9b6
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.cc/pify?keyword=innovation+definition+pdf, is the primary indicator of malicious intent. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same URL, reinforcing the redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=innovation+definition+pdf
    • https://static.usrfiles.com/ugd/defd8a_6795faf33663421d89f18e46345f5f43.pdf
    • https://static.usrfiles.com/ugd/4733ca_2e9d8800a56440d499cbd6c7a1f3786c.pdf
    • https://static.usrfiles.com/ugd/60933b_4e9f94dfb464498d822d2665d973a43a.pdf
    • https://cdn.shopify.com/s/files/1/0437/3377/8597/files/21559076258.pdf
    • https://cdn.shopify.com/s/files/1/0433/0350/1989/files/lease_agreement_addendum.pdf
    • https://cdn.shopify.com/s/files/1/0460/6518/9019/files/zoratonor.pdf
    • https://cdn.shopify.com/s/files/1/0434/7727/0692/files/ascii_table_decimal.pdf
    • https://static.usrfiles.com/ugd/963627_90dad7d49f934ff9b843e2a74fe72454.pdf
    • https://static.usrfiles.com/ugd/b13fd1_dbfe3a5091fe4c70b5ed22f8f4447e4c.pdf
    • https://static.usrfiles.com/ugd/83d902_b38b528b76c34e5d9ee7b10626002e72.pdf
    • https://static.usrfiles.com/ugd/f84671_3c1e19e032c04572aa5ec36e2808742f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004e892.bin
3a2cd5fe63210876bfb5c101adef6aaa5fbe5d6b657da94a25bb31d4a615cdd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E892 12004 bytes
font_01_sfnt_off0005104c.bin
e306a0d2a8577727383fb626b315a8a5d9dc9b4bc7776f509b177ecadaa4e0b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5104C 4724 bytes
font_02_sfnt_off00052083.bin
2630fce0054f516d1f5fb0f39495e531fd817070a092893d9c1c1e32771a9a46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52083 18932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.