Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f339c189954f0d9…

MALICIOUS

PDF

72.3 KB Created: 2020-08-21 04:48:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e07d3fe2d46bc4a8624c91b908a0f949 SHA-1: 2cb0e1815309a54e68bd44d6101331144cf2389a SHA-256: 6f339c189954f0d941d8624b17f01edb7c94d43a9f64eafee72c8bc0e15cccc8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a significant number of embedded links, with at least one pointing to known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. The document body contains garbled text but includes the URL 'https://ttraff.cc/pify?keyword=guideline+synonym+words', which is likely the primary malicious destination. The presence of numerous external PDF links suggests a link farm or SEO poisoning attempt to lure victims to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=guideline+synonym+words
    • http://mojisiv.nataliemarie.org/uploads/1/3/1/4/131437502/kufixawaro_zopamisire.pdf
    • http://files.mypittsburgchamber.org/uploads/1/3/1/3/131379732/vipot.pdf
    • http://files.yogaterrium.com/uploads/1/3/1/1/131163943/4709747.pdf
    • http://wafax.themintmovement.com/uploads/1/3/2/7/132740285/ac907939082acee.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.opentle.org
    • https://cdn.shopify.com/s/files/1/0431/6797/3538/files/retained_placenta_treatment.pdf
    • https://cdn.shopify.com/s/files/1/0432/8108/8670/files/pafaverulirivoseva.pdf
    • https://cdn.shopify.com/s/files/1/0433/6330/3575/files/lorirewajabebotidege.pdf
    • https://cdn.shopify.com/s/files/1/0428/4196/4710/files/806726736.pdf
    • https://cdn.shopify.com/s/files/1/0431/2937/2832/files/zagotuto.pdf
    • https://cdn.shopify.com/s/files/1/0433/2827/4585/files/1224660148.pdf
    • https://cdn.shopify.com/s/files/1/0430/4856/6933/files/diablo_2_unique_items.pdf
    • https://cdn.shopify.com/s/files/1/0428/0126/6851/files/panthers_schedule_2020.pdf
    • https://cdn.shopify.com/s/files/1/0440/6290/0374/files/27220690139.pdf
    • https://cdn.shopify.com/s/files/1/0431/0577/9863/files/26090524748.pdf
    • https://cdn.shopify.com/s/files/1/0431/9353/2573/files/79422192685.pdf
    • https://cdn.shopify.com/s/files/1/0434/9886/4804/files/guneruxuve.pdf
    • https://cdn.shopify.com/s/files/1/0430/4830/4797/files/51921776301.pdf
    • https://cdn.shopify.com/s/files/1/0432/0998/2107/files/diabetic_amyotrophy.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0000e54c.bin
6ef91b52294061afee7c04ddaff540805cec86c50d5e92feaf8e4f6d5e992974		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE54C 19436 bytes
font_00_sfnt_off0000606f.bin
ddf8f6fb79b582f1c493c51a96dd7205240fea98923c1d34b0585ff3bb9f7b7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x606F 6704 bytes
font_01_sfnt_off00007778.bin
bba1a1271a4da66d7804437336e204b634195b5604d932ac68e5a22bbe014a70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7778 4984 bytes
font_02_sfnt_off00008867.bin
0be97644eeb6d28ee4ab0594ccbf1c920573bdd8f547e11e3c8fbaa7cc1b031c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8867 3708 bytes
font_03_sfnt_off000095bf.bin
6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95BF 2328 bytes
font_04_sfnt_off0000a075.bin
b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA075 2108 bytes
font_05_sfnt_off0000aa40.bin
c8cb303e765c67f43d6d34f29c1d02953890772ff7b697be779fb29335000f72		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA40 6640 bytes
font_06_sfnt_off0000bbdf.bin
d41c8ae3a6953cbba4b49dfc00bbb65776eaf89d3765ffa23d1175513071a7a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBDF 12492 bytes
font_08_sfnt_off000104b2.bin
333cf0bae5291019b79d77a37696b89786718dc77a0e6f1c7356514a48765311		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104B2 3276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.