Malicious PDF — malware analysis report

Static analysis result for SHA-256 51af44dfa7e72c49…

MALICIOUS

PDF

98.0 KB Created: 2020-08-24 20:26:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc306e7170b46799581c2540be20ac93 SHA-1: b06a73f3de5dd8fa0bf35546fb1caf3fd348a00c SHA-256: 51af44dfa7e72c4941c53e84c423af6a52e8a2b470dc3e30da1fe5a84e9d72fb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.ru/pify?keyword=animated+movies++in+tamil+dubbed'. Another critical heuristic indicates a PDF link farm, suggesting an attempt to manipulate search engine results or distribute malicious content. The ML classifier strongly supports the malicious nature of this PDF. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=animated+movies++in+tamil+dubbed
    • http://wikaf.allthingsnewvizslas.com/uploads/1/3/1/4/131482995/vuponabomiloraz-zizug-zolefo.pdf
    • http://files.vintagemarimbamusic.com/uploads/1/3/0/7/130740053/e415e1789c556.pdf
    • http://files.bradleyestates.co.uk/uploads/1/3/2/6/132682570/wirifobeje.pdf
    • http://files.michaeljarett.com/uploads/1/3/1/0/131070561/3768405.pdf
    • http://nepuri.marimbahall.com/uploads/1/3/1/4/131408024/7277828.pdf
    • https://cdn.shopify.com/s/files/1/0431/7573/9560/files/52569299959.pdf
    • https://cdn.shopify.com/s/files/1/0440/7492/6230/files/35360810354.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/riginijulu.pdf
    • https://cdn.shopify.com/s/files/1/0438/5056/3734/files/76572501296.pdf
    • https://cdn.shopify.com/s/files/1/0430/5407/1957/files/54465566586.pdf
    • https://cdn.shopify.com/s/files/1/0434/2831/5293/files/puziga.pdf
    • https://cdn.shopify.com/s/files/1/0462/7981/9413/files/67963555850.pdf
    • https://cdn.shopify.com/s/files/1/0432/6352/5026/files/mubegevuwarenebubujawexig.pdf
    • https://cdn.shopify.com/s/files/1/0431/0417/4233/files/12358505686.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001107d.bin
cb875c3cb42954751ab0247b3aefe8199e18610b9fc8d1083629dbc496a45065		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1107D 5064 bytes
font_01_sfnt_off00012199.bin
b5e472ea8c34b0bfc1d7bf99cd2d6f45bbb97dc69b2a3c7a25ff3455bf4dc8f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12199 11332 bytes
font_02_sfnt_off00013f23.bin
788d3e35615924e176c7bfffb85c0dab816c7f30b1e02655ac1b21ab9c3c24cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F23 10948 bytes
font_03_sfnt_off000164d5.bin
6e3fbd491d8b71441998836ddca0d0c102716a221ea14f8143929167ad9a79b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x164D5 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.