Malicious PDF — malware analysis report

Static analysis result for SHA-256 813a50be712e1df1…

MALICIOUS

PDF

423.5 KB Created: 2020-09-08 20:31:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd7137e14acffefc0fcae1e30a1a50dd SHA-1: a48dc98da6c9fb124cf1816654854754ec2dfd7f SHA-256: 813a50be712e1df1f6a6ca692c1d899a4f54d36dd4f0747675958f44b7cfa16e
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as a download for 'Apache web server windows 64 bit'. This indicates a phishing or social engineering attempt to direct the user to malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9902

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=apache+web+server++windows+64+bit
    • https://static.usrfiles.com/ugd/4733ca_b56145e3030643b28ac93aee1b2382be.pdf
    • https://static.usrfiles.com/ugd/3de8a6_dd9942ea04bf48148cf505514b3998a8.pdf
    • https://static.usrfiles.com/ugd/906e9f_37b31f21eeef4597a8fa81825b41c9d7.pdf
    • https://static.usrfiles.com/ugd/162fe6_98d36018eb0d4fbc9b1569308a7904f1.pdf
    • https://cdn.shopify.com/s/files/1/0435/8379/9459/files/browser_for_iphone.pdf
    • https://cdn.shopify.com/s/files/1/0432/9262/3013/files/nogulewa.pdf
    • https://cdn.shopify.com/s/files/1/0428/8380/9443/files/baja_autoestima_tesis.pdf
    • https://cdn.shopify.com/s/files/1/0432/0159/3502/files/68104911937.pdf
    • https://cdn.shopify.com/s/files/1/0433/0009/4112/files/29504753794.pdf
    • https://static.usrfiles.com/ugd/ddb60a_892af0ac10c14dbabb7572c787c7d7fd.pdf
    • https://static.usrfiles.com/ugd/87fdc7_f121bc3d91b545988fdefe428836744a.pdf
    • https://static.usrfiles.com/ugd/36d413_1600c26ea3fd484dbc6cff92e5446b43.pdf
    • https://static.usrfiles.com/ugd/c0518c_5ff6ec4216e84b5296a485a4b350dd9f.pdf
    • https://static.usrfiles.com/ugd/a91264_fecb62a875824077a7a4ff9c00407ac5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00065279.bin
38112518eb63a93892e46f89d295d3536b6f7b10f80cce9fe56b4cad262f6d01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65279 5652 bytes
font_01_sfnt_off000665c1.bin
456bc936f13e276cc16f2f8911e88a6b2c28fd52c36502b47ce97b9f81c77879		 pdf-font-stream PDF embedded font (sfnt) at offset 0x665C1 11876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.