Malicious PDF — malware analysis report

Static analysis result for SHA-256 75185045b899e755…

MALICIOUS

PDF

63.2 KB Created: 2020-08-24 16:42:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9cb963f814dd8d8d550b2c687dbd72ec SHA-1: 8571303e2b6e6d9d2feb582bac1b976282ad82c8 SHA-256: 75185045b899e7558da004139665e2e152d77f82b8240b9e31938f1362c71e8e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to a link farm designed to host SEO-optimized PDFs. One prominent link, 'https://ttraff.ru/pify?keyword=blindspot+season+3+subtitles', is identified as a malicious redirector. This suggests the document is designed to trick users into visiting malicious infrastructure, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=blindspot+season+3+subtitles
    • http://kevitap.susansimons.com/uploads/1/3/0/9/130969077/ganejizivewesi.pdf
    • http://files.mindfulmoves.net/uploads/1/3/1/4/131438510/vopavaj.pdf
    • http://files.animalprotection-eg.org/uploads/1/3/1/3/131398142/9301544.pdf
    • http://files.mydmciproperties.com/uploads/1/3/1/6/131608037/2935140.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0434/3159/2092/files/general_affidavit_form_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/8181/7495/files/9365417611.pdf
    • https://cdn.shopify.com/s/files/1/0428/2328/6940/files/rizalowagajufile.pdf
    • https://cdn.shopify.com/s/files/1/0432/7555/0884/files/cinema_skrillex_lyric.pdf
    • https://cdn.shopify.com/s/files/1/0445/8368/2212/files/cracking_the_genesis_code_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/5650/3704/files/past_simple_vs_past_continuous_exercises_intermediate.pdf
    • https://cdn.shopify.com/s/files/1/0431/3497/6157/files/system_analysis_and_design_review_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0438/2212/1122/files/jusokejudulimov.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mosagewenusuwaguxizekud.pdf
    • https://cdn.shopify.com/s/files/1/0430/3332/9817/files/database_project_ideas.pdf
    • https://cdn.shopify.com/s/files/1/0433/5117/9416/files/marine_corps_drill_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007945.bin
629123bfde0685c5f69bbdd27ec008bde0224d5c30af1dabb990f6ee33ea778e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7945 6440 bytes
font_01_sfnt_off00008939.bin
8a82423c97018dfe93fd4de8d23f1f8d20f17de96e51f94fc53d876a98be2187		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8939 5208 bytes
font_02_sfnt_off00009ae9.bin
c6d7f24c53bf81f92f53f9ef5d9b63e7ba88008762f466facc61e6e13ce27ffa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AE9 4760 bytes
font_03_sfnt_off0000accd.bin
7e08ff2e8102fd48f3ee5e67033e3c6191eeebfacc2fb8def705347dcdecd630		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACCD 14068 bytes
font_04_sfnt_off0000d897.bin
9c6561b54e5c3e4648eaa648cd4d7348be612dce651357504d9c7e3a2e98134c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD897 16448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.