Malicious PDF — malware analysis report

Static analysis result for SHA-256 45fdae9d22b1168c…

MALICIOUS

PDF

43.0 KB Created: 2020-08-23 09:21:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f3628b6bfe6a9dad28d88cfff399acc0 SHA-1: bf77c8426a787a68216f76ee7e314873bc97dc88 SHA-256: 45fdae9d22b1168c1d47162a1dd85096742f05ccb601d717788ff622ce06927c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=examiners+report+2018+gcse', which is a known malicious redirector. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm intended to manipulate search engine results or distribute malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=examiners+report+2018+gcse
    • http://files.cheapautoglassinlasvegasnv.com/uploads/1/3/1/4/131437848/7284632.pdf
    • http://japenop.joystondsouza.com/uploads/1/3/1/1/131164250/9887345.pdf
    • http://bimotuw.richardhall.net/uploads/1/3/1/1/131164471/4018ebb91ce35b.pdf
    • http://wokoxosi.iomttcronkbanecottages.com/uploads/1/3/1/0/131070450/aa6b3561c8bc9.pdf
    • https://cdn.shopify.com/s/files/1/0429/0609/1687/files/cours_atomistique_s2.pdf
    • https://cdn.shopify.com/s/files/1/0427/3831/9527/files/rifisubigirorukekujikad.pdf
    • https://cdn.shopify.com/s/files/1/0429/5114/7676/files/fosapejalojanam.pdf
    • https://cdn.shopify.com/s/files/1/0429/0094/7103/files/kugikunekovi.pdf
    • https://cdn.shopify.com/s/files/1/0433/2116/3941/files/video_er_professional_opera_extension.pdf
    • https://cdn.shopify.com/s/files/1/0434/7301/0840/files/kiwidapemurapiwolonivug.pdf
    • https://cdn.shopify.com/s/files/1/0428/7207/8499/files/zovafuxuvozubeniju.pdf
    • https://cdn.shopify.com/s/files/1/0435/4985/1811/files/simonejekogagujobe.pdf
    • https://cdn.shopify.com/s/files/1/0432/2826/6654/files/xelojimoloxisavi.pdf
    • https://cdn.shopify.com/s/files/1/0434/6924/2534/files/96567752407.pdf
    • https://cdn.shopify.com/s/files/1/0431/4044/8407/files/15060512215.pdf
    • https://cdn.shopify.com/s/files/1/0441/3220/4696/files/90316018790.pdf
    • https://cdn.shopify.com/s/files/1/0430/5072/9621/files/gupalenoxafujebomigafexe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c71.bin
f80f06f778bb0279581206ba1ae10b0028cd5c9a0f038f608a5c3f837440157b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C71 5556 bytes
font_01_sfnt_off00006f38.bin
121a5504d8359b3c4e7fde8dff21a509607a39167557beb89faf69ac4815bb35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F38 9908 bytes
font_02_sfnt_off0000911a.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x911A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.