Malicious PDF — malware analysis report

Static analysis result for SHA-256 72f9cd0f7aaa90c0…

MALICIOUS

PDF

41.9 KB Created: 2020-09-01 16:50:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6cde05d1b0c12c2fc2c539434d806e68 SHA-1: 26e89fb11d72a1fa34fda066659c683fefb4780c SHA-256: 72f9cd0f7aaa90c0fd12f739148f755af125cea96b7cce85608282e1c3daea55
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, including one pointing to a known malicious redirector infrastructure at 'https://ttraff.ru/wix?keyword=baahubali+2+tamil+movie+hd+720p'. The document body also contains this URL, suggesting a lure to trick users into clicking it. The presence of a large number of external PDF links indicates a link farm, often used for SEO manipulation or to distribute malicious content. No scripts were extracted, but the embedded links are sufficient evidence of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=baahubali+2+tamil+movie+hd+720p
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0441/1860/5976/files/45449986342.pdf
    • https://cdn.shopify.com/s/files/1/0461/9465/5390/files/suworixojezez.pdf
    • https://cdn.shopify.com/s/files/1/0434/2880/6807/files/angular_6_tutorial_for_beginners_step_by_step.pdf
    • https://cdn.shopify.com/s/files/1/0430/4827/2023/files/32618076019.pdf
    • https://static.usrfiles.com/ugd/1a89c8_e825d08b831245a0a0a11634ff626ce4.pdf
    • https://static.usrfiles.com/ugd/9734e7_802e365b25094e758c18984640bc42f5.pdf
    • https://static.usrfiles.com/ugd/1be480_fc5799070f9b4fbc9de8ed6198944eff.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_ccfedceb77ed427dab8972b771eb4293.pdf
    • https://cdn.shopify.com/s/files/1/0452/7544/7458/files/bts_world_text_message_answers.pdf
    • https://cdn.shopify.com/s/files/1/0427/4431/6070/files/rxjs_distinct_array.pdf
    • https://cdn.shopify.com/s/files/1/0432/4678/0566/files/69134305474.pdf
    • https://cdn.shopify.com/s/files/1/0432/4438/8514/files/nugunesiwezoseguseboz.pdf
    • https://cdn.shopify.com/s/files/1/0440/2728/1558/files/joxosavud.pdf
    • https://cdn.shopify.com/s/files/1/0428/0621/4819/files/is_selection_sort_stable.pdf
    • https://cdn.shopify.com/s/files/1/0448/1817/0018/files/fusenejugebuse.pdf
    • https://cdn.shopify.com/s/files/1/0434/6370/4729/files/patilon.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006462.bin
e0af0f71620d279b5f3f7c4b52b4edfc67d10ef8a6faeab6f6ba0cf95fa74ebd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6462 5528 bytes
font_01_sfnt_off00007711.bin
4dbacbe5edc62a8e15ac878d85cfe60d0cea72e9a834a4665dda9ee07670f1bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7711 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.