Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d29cf693bbe5c6b…

MALICIOUS

PDF

38.8 KB Created: 2020-08-29 22:51:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 219e5e0ed8b7cd172bbe8acdb27e304f SHA-1: 0fc8c15f2157deeb4b3a98eae92518152c4771c8 SHA-256: 4d29cf693bbe5c6bf479920bcd4605751f4e0e323e0c839a2b5a60c2b156edad
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by an ML classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. Additionally, it exhibits characteristics of a PDF SEO link farm, embedding numerous external links, with the primary malicious URL being 'https://ttraff.ru/wix?keyword=www+cinecheque+fr+liste'. The document body, though heavily obfuscated, contains references to 'cinecheque fr liste' and the authoring application 'wkhtmltopdf', suggesting a lure document. No scripts were extracted, and the primary malicious activity appears to be link redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=www+cinecheque+fr+liste
    • https://static.usrfiles.com/ugd/b8c837_d13b2cf7acd44bf5a61c0a29e2f928d2.pdf
    • https://static.usrfiles.com/ugd/ea5d7b_953307712a3e40e0b9a7f3a22b59a53e.pdf
    • https://static.usrfiles.com/ugd/b8c837_941a267a2d6b460f93fc17b5f551428b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4163bf30943147c6a16d8248eb7af845.pdf
    • https://cdn.shopify.com/s/files/1/0432/3062/5950/files/jagabipikakod.pdf
    • https://cdn.shopify.com/s/files/1/0438/2598/7741/files/pathogenicity_of_salmonella.pdf
    • https://cdn.shopify.com/s/files/1/0437/6382/6849/files/ukulele_blues_tabs.pdf
    • https://cdn.shopify.com/s/files/1/0428/6336/2204/files/butibarunivelekusamu.pdf
    • https://cdn.shopify.com/s/files/1/0433/9764/4449/files/dulow.pdf
    • https://cdn.shopify.com/s/files/1/0433/2565/3160/files/samsung_galaxy_note_10._1_n8000_firmware.pdf
    • https://cdn.shopify.com/s/files/1/0431/6859/6123/files/amd_6870_driver.pdf
    • https://cdn.shopify.com/s/files/1/0440/8626/3960/files/45669742116.pdf
    • https://cdn.shopify.com/s/files/1/0432/4671/5040/files/29756890765.pdf
    • https://cdn.shopify.com/s/files/1/0440/7292/7384/files/13249658528.pdf
    • https://cdn.shopify.com/s/files/1/0440/7784/2582/files/faruvagesakap.pdf
    • https://cdn.shopify.com/s/files/1/0434/8634/7414/files/2482509209.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000580f.bin
cfd55c3f1ae0a1edfc3eea2a0c4ee9d652c71ef84ebbeb6669d09262dfc653b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x580F 4992 bytes
font_01_sfnt_off0000691b.bin
b54077322005756576d59c062f140f17a01a5939762f8c58764287d505bf0fc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x691B 10932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.