Malicious PDF — malware analysis report

Static analysis result for SHA-256 76514b3120aed826…

MALICIOUS

PDF

57.2 KB Created: 2020-08-17 09:26:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 7c359b4e5738a05b00e24b9b4d37c0d2 SHA-1: 37b265edc2b6369d840dd4b40e8b4591641abda7 SHA-256: 76514b3120aed82645cfd867a7ca2c2d9a739d09df34edf6e422a57bd2f2a7ed
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a heuristic firing for linking to known malicious redirector infrastructure, specifically the URL https://ttraff.ru/pify?keyword=the+brotherhood+of+war+2004. It also exhibits characteristics of a PDF link farm, with numerous embedded URLs pointing to other PDF files, likely for SEO manipulation or to obscure malicious intent. No scripts were extracted, but the presence of embedded URLs and the malicious redirector link strongly suggest an attempt to lead the user to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=the+brotherhood+of+war+2004 In PDF document text
    • http://files.norforkschools.org/uploads/1/3/1/4/131437615/madaloxalatewi_fipigagaluvivoj_nawaj.pdfIn PDF document text
    • http://files.fullfledgedonline.com/uploads/1/3/0/9/130969735/solenipesuxugujopuki.pdfIn PDF document text
    • http://kazoluj.olvinfants.com/uploads/1/3/2/3/132302780/4889876.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://cdn.shopify.com/s/files/1/0431/3242/0250/files/riguwebewarijaxi.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/0846/5828/files/segurana_em_tecnologia_da_informao.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0440/6755/3430/files/argos_catalogue_ie.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/5420/2018/files/jizoz.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/3665/5259/files/sap_businessobjects_business_intelligence_suite.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/7221/5448/files/prentice_hall_biology_book_online.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/6881/5528/files/shinchan_tamil_videos_for_whatsapp_status.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/5280/0920/files/91379493960.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0428/0749/2775/files/nmat_gmac.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/8152/1560/files/small_business_ideas_in_tamil.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0436/7322/3321/files/takatojupedezopafovexupu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000acef.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xACEF 18172 bytes
SHA-256: 2c2e2977b1079a328ec94d0f9c824bd585703e9ae6dcfba85c7f25a1363c1cb2
font_00_sfnt_off000066a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x66A3 4672 bytes
SHA-256: 9c6f89b6e1eb02c6fde2451b5bbf6833641a0b8deb030082ad76515d31afe433
font_01_sfnt_off0000773f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x773F 4964 bytes
SHA-256: ed828506dfaca7a3511e35eb327bd5f55de5deee3a615e14d15b39eb0e789377
font_02_sfnt_off00008840.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8840 10820 bytes
SHA-256: 90b5078d409ebe99465a4886b9e002bc178d1fb992553b6dfc01ae2666d17b64
font_04_sfnt_off0000c8fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC8FA 4324 bytes
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34

Open this report in the interactive analyzer, or submit your own file for analysis.