Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b16cc81f03dffe6…

MALICIOUS

PDF

117.7 KB Created: 2020-08-09 01:04:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0eaab58eefe78e1c6f8a7268e6bf8abc SHA-1: 2ea14678530fec275da3eb88e78da71443a7d40a SHA-256: 3b16cc81f03dffe6ca0c030b3374b3772fe84387ba73aede99f452f7f0e9b2d2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=well+behaved+wave+function+pdf'. Additionally, a PDF link farm heuristic indicates the presence of numerous external links, many hosted on cdn.shopify.com. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the redirector URL, suggesting the primary intent is to redirect the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=well+behaved+wave+function+pdf
    • http://files.dfwcprtrainingcenter.com/uploads/1/3/0/7/130776826/bofawewunumumap.pdf
    • http://kusob.walterslawpc.com/uploads/1/3/1/4/131453062/c94dc5b12672d68.pdf
    • http://files.tonyhardindesign.com/uploads/1/3/1/4/131407901/kemilupotiloxesolosu.pdf
    • https://cdn.shopify.com/s/files/1/0431/1682/2692/files/jinusisuwinet.pdf
    • https://cdn.shopify.com/s/files/1/0432/1473/3480/files/writing_algebraic_expressions_worksheet_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/3309/1480/files/96366696491.pdf
    • https://cdn.shopify.com/s/files/1/0438/7792/5019/files/17593786488.pdf
    • https://cdn.shopify.com/s/files/1/0430/3945/7431/files/knowing_god_intimately_joyce_meyer_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/9252/4702/files/78410519916.pdf
    • https://cdn.shopify.com/s/files/1/0430/7746/8327/files/zenexarusokisarigexojuka.pdf
    • https://cdn.shopify.com/s/files/1/0429/0389/6217/files/my_greatest_achievement_examples.pdf
    • https://cdn.shopify.com/s/files/1/0429/7873/8335/files/bigurufojoferawazexifuwoj.pdf
    • https://cdn.shopify.com/s/files/1/0433/2696/3865/files/regex_to_nfa_ocaml.pdf
    • https://cdn.shopify.com/s/files/1/0430/1658/5379/files/12335584030.pdf
    • https://cdn.shopify.com/s/files/1/0432/5549/6866/files/5250207038.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/zemuvip.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015857.bin
97291ab046a85cb0ef4862cf48bf2b318dab10d12f47edc9680f8e9bbb77edce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15857 5276 bytes
font_01_sfnt_off00016a23.bin
5075c91efde21d990529effc03f7642f56a66ae6fa0970819f8488fdb80962b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16A23 6460 bytes
font_02_sfnt_off000179e9.bin
64259ff9a08ff1a9876cad93f5380dcf0abf6e6e6066760ebc2be360a43529e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x179E9 17640 bytes
font_03_sfnt_off0001b0ec.bin
9a9ba8da44edd8f64b3bd8481bcace890a1795322a9114c6228e453d987f3dd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B0EC 16796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.