Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ada0f791917a33c…

MALICIOUS

PDF

48.7 KB Created: 2020-07-25 12:21:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9399eec2bf90740121859f985b97e794 SHA-1: 17efa10684b58d1e74f064c8e86a68a9b08dfea3 SHA-256: 6ada0f791917a33c7f72859d0f625d241800d6a0e584045dc6b49b9c69e343e8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with a critical heuristic identifying it as a malicious redirector and a link farm. The primary malicious URL, https://ttraff.com/pify?keyword=motu+patlu+ki+jodi+episode++tinyjuke, is likely used to redirect users to further malicious content. The ML classifier strongly indicates maliciousness, and the presence of embedded URLs supports this. No scripts were extracted, but the overall structure suggests a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=motu+patlu+ki+jodi+episode++tinyjuke
    • http://files.attorneytmorton.com/uploads/1/3/0/7/130739169/114dae9.pdf
    • http://files.naturetherapyonline.com/uploads/1/3/2/8/132814342/vuwugoduvikekadujuna.pdf
    • http://files.wvkuhl.com/uploads/1/3/2/8/132815960/vawivo-jajikoxak-putipitovuje.pdf
    • http://files.cochranetotaltree.com/uploads/1/3/1/4/131413718/bajazujixaxe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0428/9980/0217/files/14658038712.pdf
    • https://cdn.shopify.com/s/files/1/0430/4646/9793/files/supokamilopavogisupig.pdf
    • https://cdn.shopify.com/s/files/1/0430/4207/8877/files/97627299251.pdf
    • https://cdn.shopify.com/s/files/1/0433/2388/3688/files/59709680479.pdf
    • https://cdn.shopify.com/s/files/1/0427/4572/5094/files/biboguxozomowitil.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/96951977507.pdf
    • https://cdn.shopify.com/s/files/1/0429/7896/7703/files/9667190239.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/geligup.pdf
    • https://cdn.shopify.com/s/files/1/0430/4253/7629/files/zusudulefuzajejipageg.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vabagibad.pdf
    • https://cdn.shopify.com/s/files/1/0440/5841/1158/files/kimeziworogaviverigefevud.pdf
    • https://cdn.shopify.com/s/files/1/0430/0183/9775/files/31506514966.pdf
    • https://cdn.shopify.com/s/files/1/0431/0715/6128/files/pupulowotal.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073c6.bin
97b82302c0284985bbf742cb0a0d5cc0d7d1af7f48f934ce8de45071d9bc4a5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73C6 4984 bytes
font_01_sfnt_off000084d8.bin
3b691087948c34bc934282088ef9b10da56691e7f4db2ba509e360b53c9c1915		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84D8 10608 bytes
font_02_sfnt_off0000a91a.bin
39dfe0378e6ac66e8bcda72526a8993c6fabdbcc40a61eb0dc274f4d1b993e6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA91A 2936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.