Malicious PDF — malware analysis report

Static analysis result for SHA-256 540191c2bec4e69e…

MALICIOUS

PDF

53.4 KB Created: 2020-08-13 05:03:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08dea8cb66786b02a7dca88793bc870b SHA-1: 2166257eff19f1be84869b8d78bf1260d4480ddf SHA-256: 540191c2bec4e69ef3e2a17e82ae3f55672fa7b07c6b1a93830dc96ce41b8bca
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one critical link pointing to a known malicious redirector at ttraff.ru. The document body, though heavily obfuscated, contains the same malicious URL. This suggests the primary purpose is to redirect the user to malicious content via the ttraff.ru domain.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=brahm+kavach+paath+in+punjabi+pdf
    • http://files.bkindboutique.com/uploads/1/3/0/8/130813796/kurovi.pdf
    • http://files.morrinsvillecommunityhouse.org/uploads/1/3/1/1/131163635/3aa3e9bb70b98.pdf
    • http://jidasa.lj-nelson.com/uploads/1/3/1/3/131379179/tevebusexajirot_gopimavifawukot_karerexa.pdf
    • http://files.catchpennyshop.com/uploads/1/3/2/3/132303023/kovulabo_dozorapus_rokogivolowum.pdf
    • https://cdn.shopify.com/s/files/1/0436/9979/8166/files/togawami.pdf
    • https://cdn.shopify.com/s/files/1/0428/4180/0860/files/93517559132.pdf
    • https://cdn.shopify.com/s/files/1/0438/0013/3793/files/59257986961.pdf
    • https://cdn.shopify.com/s/files/1/0429/8702/8641/files/sevapezozogifonifuxidezo.pdf
    • https://cdn.shopify.com/s/files/1/0439/3048/4904/files/what_can_you_do_with_c.pdf
    • https://cdn.shopify.com/s/files/1/0436/5156/3670/files/typical_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3750/files/mategusozigetawitiwoz.pdf
    • https://cdn.shopify.com/s/files/1/0432/5543/1323/files/attendance_management_system_project_in_java_with_source_code.pdf
    • https://cdn.shopify.com/s/files/1/0430/0128/2711/files/how_to_tame_fenryr_wow.pdf
    • https://cdn.shopify.com/s/files/1/0433/9567/8357/files/98484313261.pdf
    • https://cdn.shopify.com/s/files/1/0437/2358/7736/files/rizezeno.pdf
    • https://cdn.shopify.com/s/files/1/0434/0213/3671/files/ocr_a_level_biology_textbook_pearson.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062d5.bin
2941b4e47c74071bd84f23bda19d0f0e960cb48a92ceaf7c6387754d96f9104d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62D5 5576 bytes
font_01_sfnt_off000075a2.bin
814992be763021c11dca23fed22b8bb7a0f9688c8b5af2f3d58b36f318d7b63c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75A2 3740 bytes
font_02_sfnt_off0000811b.bin
ec182bc24d944cd2001623d469fbe797cd5664e85ac6e26f8efcff1a2884abab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x811B 7416 bytes
font_03_sfnt_off00009a7f.bin
d7cebb6cea3e5180faabb77d8d33c6b7fc83b7a8a6df2938a89e7f51ba8266df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A7F 14620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.