Malicious PDF — malware analysis report

Static analysis result for SHA-256 4feae8981236d860…

MALICIOUS

PDF

49.2 KB Created: 2020-08-23 16:19:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17310ed2720d3b315bda588df482f338 SHA-1: 4d492593a1640002a2cd9dac8bab7449902188a9 SHA-256: 4feae8981236d860dcd523306df4aa64416e091401f4b8b8ad3d0aa29ce650ab
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links, one of which, 'https://ttraff.cc/pify?keyword=burning+bright+full+movie++tamilrockers', is flagged as a malicious redirector. The document body, though heavily obfuscated, appears to contain similar text, suggesting a lure for pirated content. The PDF also hosts a large number of other PDF links, many pointing to Shopify, which is characteristic of SEO link farm abuse. No scripts were extracted, but the primary attack vector appears to be social engineering via a malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=burning+bright+full+movie++tamilrockers
    • http://sokez.tsubosalon.com/uploads/1/3/0/9/130969077/futiriri.pdf
    • http://files.rogerbarnard.com/uploads/1/3/1/4/131407227/lagurebebujorud.pdf
    • https://cdn.shopify.com/s/files/1/0435/8694/5181/files/infinity_mathematics.pdf
    • https://cdn.shopify.com/s/files/1/0454/7280/9126/files/chromic_acid_preparation.pdf
    • https://cdn.shopify.com/s/files/1/0428/9649/0663/files/31085318652.pdf
    • https://cdn.shopify.com/s/files/1/0429/2093/5590/files/dosiguzap.pdf
    • https://cdn.shopify.com/s/files/1/0428/0349/5071/files/to_be_simple_present_tense_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0431/4900/0864/files/woferopalinevusupeworeg.pdf
    • https://cdn.shopify.com/s/files/1/0431/6204/2529/files/gatanosolomut.pdf
    • https://cdn.shopify.com/s/files/1/0427/5165/6102/files/vewodewekarenoki.pdf
    • https://cdn.shopify.com/s/files/1/0431/8891/2290/files/jolimuperejutewuwines.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054a9.bin
3c7407dc59a138f8e2f686aee8c033ea60ad92d00bc5cd153dc86dd1ac2103f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54A9 5608 bytes
font_01_sfnt_off00006796.bin
a2aa97dbaa9802a3f966e24f1ba010be51698f2616543bb33e2eb3d51716f005		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6796 2984 bytes
font_02_sfnt_off000073bf.bin
48457a76825d3f46a83b88a93890016c2744f90a2830a41d2c4c98c197d1d3c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73BF 10392 bytes
font_03_sfnt_off00009747.bin
589f2a64e89766a8ae62896ea8444fa1a87810255c984bbc4fd2a260c4929d56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9747 2056 bytes
font_04_sfnt_off0000a036.bin
ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA036 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.