Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a423cd81d2687c8…

MALICIOUS

PDF

48.5 KB Created: 2020-08-01 17:18:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 283fc568a322e546a77bf39e7fadf33f SHA-1: 0c01a1522144383af06730bf9036acb611225cc3 SHA-256: 3a423cd81d2687c8b330303ca9bc373c32cb849af5b0acf37b1755bbcc6711da
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with one heuristic specifically identifying it as a 'PDF SEO Link Farm'. The presence of a link to a known malicious redirector, 'https://ttraff.cc/pify?keyword=osrs+rotten+tomato', indicates a malicious intent to redirect users to harmful content. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, so the primary attack vector appears to be the manipulation of document links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=osrs+rotten+tomato
    • http://files.meetprojectsound.com/uploads/1/3/1/4/131437680/dupapufiremop_katakerebofad_fasawo.pdf
    • http://files.andrewflojo.com/uploads/1/3/2/3/132302924/7cb2b4b2e.pdf
    • http://files.hustlera.co/uploads/1/3/2/6/132681885/dunorenu-kosoririxajukox.pdf
    • http://files.hooversfarmsupply.com/uploads/1/3/0/9/130969334/2026091.pdf
    • http://files.silvastudioart.com/uploads/1/3/1/3/131383727/c2b014a40.pdf
    • https://cdn.shopify.com/s/files/1/0429/2804/6233/files/damerup.pdf
    • https://cdn.shopify.com/s/files/1/0434/8225/1421/files/13425206050.pdf
    • https://cdn.shopify.com/s/files/1/0437/5399/6442/files/86360195311.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/66689816557.pdf
    • https://cdn.shopify.com/s/files/1/0434/2795/4840/files/kileraxuvozofitoferazadas.pdf
    • https://cdn.shopify.com/s/files/1/0432/5241/6672/files/voxadir.pdf
    • https://cdn.shopify.com/s/files/1/0432/3321/4621/files/35918242212.pdf
    • https://cdn.shopify.com/s/files/1/0434/5387/4329/files/7777013985.pdf
    • https://cdn.shopify.com/s/files/1/0434/3136/2725/files/backroom_casting_couch_compilation.pdf
    • https://cdn.shopify.com/s/files/1/0433/2191/7598/files/duwakesitadakiguxox.pdf
    • https://cdn.shopify.com/s/files/1/0430/2936/4889/files/openvpn_duplicate-_cn.pdf
    • https://cdn.shopify.com/s/files/1/0431/1128/4893/files/lizusiwojidogok.pdf
    • https://cdn.shopify.com/s/files/1/0433/7709/8910/files/77725893181.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008261.bin
b85e3a08530073a2c8e11d1cd562b4779df1d67df78033640ad12a0d933df36e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8261 4828 bytes
font_01_sfnt_off000092ab.bin
b6d31fe9419d4323eb3ac60a6de30330026a479264e583014cc9da0d66d2c121		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92AB 10148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.