Malicious PDF — malware analysis report

Static analysis result for SHA-256 614c3b09034f92f7…

MALICIOUS

PDF

59.2 KB Created: 2020-08-31 07:04:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fd1b16d1d47e24649b12aeaca1459230 SHA-1: 75c49da12e4a7cd62119e751516a909d5b137d8b SHA-256: 614c3b09034f92f70a9c33fd968c9fc0e795195e610d11372ce624e06090ba1a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, one of which, 'https://ttraff.ru/wix?keyword=thandavam+full+movie', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains text suggesting a lure for movie content. The presence of numerous other PDF links, many pointing to Shopify, indicates a potential link farm or SEO manipulation tactic to distribute malicious content. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=thandavam+full+movie
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0435/1361/0392/files/lowipu.pdf
    • https://cdn.shopify.com/s/files/1/0435/0754/8326/files/23177150062.pdf
    • https://cdn.shopify.com/s/files/1/0431/5542/3396/files/95434081146.pdf
    • https://cdn.shopify.com/s/files/1/0440/0755/5222/files/blank_page_notebook.pdf
    • https://cdn.shopify.com/s/files/1/0430/9113/2567/files/rakijolisexipotuw.pdf
    • https://static.usrfiles.com/ugd/0df15e_c3a709672245481d98b7f237d67cba90.pdf
    • https://static.usrfiles.com/ugd/409ca8_dee81bb5a3cf4c18864600ae24fb2080.pdf
    • https://static.usrfiles.com/ugd/b8c837_d05ce806e25141aa92bb4a89de07d8ea.pdf
    • https://static.usrfiles.com/ugd/c3f59f_78606c3a647a486a87a586adf6d581ce.pdf
    • https://cdn.shopify.com/s/files/1/0430/9064/1045/files/34871017820.pdf
    • https://cdn.shopify.com/s/files/1/0431/0577/9878/files/42835346676.pdf
    • https://cdn.shopify.com/s/files/1/0449/5484/5352/files/template_web_html_admin.pdf
    • https://cdn.shopify.com/s/files/1/0465/0070/8510/files/zemufajarafemabafa.pdf
    • https://cdn.shopify.com/s/files/1/0460/1082/6913/files/pubifamozolokazemapeta.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_64cb7f5d5b1e4d0ca5dbcedb5ebe6914.pdf
    • https://static.usrfiles.com/ugd/0c4177_7b685406cf4d4709984d381d32ae6b19.pdf
    • https://static.usrfiles.com/ugd/b8c837_3d441e442d24465d8a858796d771ab93.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bc2.bin
ac5a7afc53f1d87f973fb0603e44fe6007aead5f337992853a97563e20857b32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BC2 4684 bytes
font_01_sfnt_off00008b78.bin
4214844e2a2ebd5df137143237027fc53b777e615d752ec5966fc1561f07ee7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B78 3132 bytes
font_02_sfnt_off000097e8.bin
79f13b8d97194a4f230e473723b605f2cd7aa5ad7b9c270d525f825f7b0a15b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97E8 10472 bytes
font_03_sfnt_off0000bbfb.bin
c41fc46809d2260d2d1a821cef6bb00dae560fdbad380da94a93f29d012df54e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBFB 16164 bytes
font_04_sfnt_off0000d110.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD110 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.