Malicious PDF — malware analysis report

Static analysis result for SHA-256 38d6f272d1ea97a3…

MALICIOUS

PDF

72.1 KB Created: 2020-08-21 11:49:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c9fa53eabdfcc6beca77108bbb3577f1 SHA-1: 83410253ed06268ff5c6892f6c82f12e6da1f20d SHA-256: 38d6f272d1ea97a3f400fb47c907ca362c26974dc54f2acdfca3759a11a54dff
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing indicating a link to known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=concise+oxford+english+arabic+dictionary+pdf'. Another critical heuristic identified a PDF link farm, suggesting a coordinated effort to distribute malicious content. The ML classifier strongly supports the malicious nature of this PDF. The document body, though heavily obfuscated, contains references to the malicious URL and other benign-looking PDF links, likely as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=concise+oxford+english+arabic+dictionary+pdf
    • http://kuruvi.albertaaccesstojustice.com/uploads/1/3/1/3/131379530/1664150.pdf
    • http://files.herbssupply.com/uploads/1/3/0/7/130775200/mekivukopatar-sazufexi-rewarofubup.pdf
    • http://koriwudi.abellcable.com/uploads/1/3/2/8/132815806/4180883.pdf
    • https://cdn.shopify.com/s/files/1/0434/2002/4989/files/miwiweromafu.pdf
    • https://cdn.shopify.com/s/files/1/0432/6460/6372/files/ftk_imager_download.pdf
    • https://cdn.shopify.com/s/files/1/0436/6332/7385/files/nomenclatura_alcanos_alquenos_y_alquinos.pdf
    • https://cdn.shopify.com/s/files/1/0434/5764/2648/files/asma_gina_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0433/4092/3048/files/ibm_blockchain_for_dummies_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/8581/4173/files/tarokupijufixisamasota.pdf
    • https://cdn.shopify.com/s/files/1/0433/2994/5758/files/mad_men_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0432/9802/9733/files/33792308134.pdf
    • https://cdn.shopify.com/s/files/1/0437/7165/8392/files/vasijaxe.pdf
    • https://cdn.shopify.com/s/files/1/0440/7423/8102/files/merge_excel_sheets_with_different_columns.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000eb06.bin
a9d50de37f0baa71d0fea0bb44e15b553d00dae158eaecb5d6fa2e5008e788ea		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEB06 16644 bytes
font_00_sfnt_off00008d18.bin
f0c7d39285358b8c53bd0625bbc0753517336f47bc1df30199a199cfba907ec7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D18 12580 bytes
font_01_sfnt_off0000b542.bin
28e6aa91075013275bfdae7a32d8119f996ad702abb64beec1522f7ea7d4ca05		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB542 5536 bytes
font_02_sfnt_off0000c80e.bin
bd2ec23321b5a592fa5483c9805ff3c26b76d66937fe3277c77504b2e53a4f9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC80E 10136 bytes
font_04_sfnt_off00010217.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10217 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.