Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bae9a33f064b44e…

MALICIOUS

PDF

41.4 KB Created: 2020-08-23 17:25:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 48cb2d60b1d86d2912b0bc342cb11a1b SHA-1: 8d1bd4c7317f39f3b125803549069cce451d3dd0 SHA-256: 6bae9a33f064b44e2df9b829af1431becf729b78274d22af09751bc6ef5f148f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by a machine learning classifier and contains a critical heuristic indicating a malicious redirector link. The embedded URL, 'https://ttraff.ru/pify?keyword=uefa+champions+league+background+music', is the primary indicator of malicious intent, likely serving as a lure for phishing or malware delivery. While the document body mentions 'Uefa champions league background music', this is likely a deceptive pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=uefa+champions+league+background+music
    • http://bebiwo.brightonandhovehypnobirthing.co.uk/uploads/1/3/1/8/131856072/1141110.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0437/1084/1000/files/osrs_abyssal_sire.pdf
    • https://cdn.shopify.com/s/files/1/0431/5843/8039/files/83007306789.pdf
    • https://cdn.shopify.com/s/files/1/0435/6443/3566/files/gatasinovina.pdf
    • https://cdn.shopify.com/s/files/1/0433/9544/8997/files/common_english_sentences_used_in_daily_life.pdf
    • https://cdn.shopify.com/s/files/1/0464/6089/5384/files/zimevukiboxeriroginojaso.pdf
    • https://cdn.shopify.com/s/files/1/0431/4441/3341/files/coldfusion_2020_cfhtmltopdf.pdf
    • https://cdn.shopify.com/s/files/1/0459/7288/1575/files/accedere_a_gmail_da_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006328.bin
dc9836470ab67daea80d86ec2e408e1cb6b70c77ac9b62a5e8628fdff241c4ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6328 5764 bytes
font_01_sfnt_off00007694.bin
4113e6995c49b6dbdd5608a078a390e13330a5dd9f6c0ade6896860cc1dbc5ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7694 10188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.