Malicious PDF — malware analysis report

Static analysis result for SHA-256 8366b6d3083daf70…

MALICIOUS

PDF

38.7 KB Created: 2020-08-06 20:57:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dce38e59f8cc8962124c796b67a46b4c SHA-1: d66f8fbb7faa8af37198dafd5d0e828bd29c95b8 SHA-256: 8366b6d3083daf700dfc26dac7fa180ccd61976d7c9420afc1ec7ba2a4990550
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/pify?keyword=dc+msme+schemes+pdf'. This indicates a phishing attempt, likely to trick users into believing they are accessing legitimate government scheme information. The document body, though heavily obfuscated, contains references to this URL and other Shopify links, suggesting a link farm used to obscure the malicious destination. No scripts were extracted, but the presence of multiple embedded URLs and the malicious redirector strongly suggest a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=dc+msme+schemes+pdf
    • http://files.kellyjacobsonstudios.com/uploads/1/3/1/4/131437930/e168581.pdf
    • http://files.omalleyfoundation.com/uploads/1/3/0/7/130739265/bivixedewarag.pdf
    • http://files.sjogsomerset.org/uploads/1/3/0/9/130969001/ae9df28.pdf
    • http://files.calebpowellartist.com/uploads/1/3/1/3/131380849/9094147.pdf
    • https://cdn.shopify.com/s/files/1/0431/3917/0466/files/65257208892.pdf
    • https://cdn.shopify.com/s/files/1/0433/4711/6197/files/nupedusufawimomofikejaz.pdf
    • https://cdn.shopify.com/s/files/1/0430/0577/1927/files/dunepanifowe.pdf
    • https://cdn.shopify.com/s/files/1/0429/9456/5271/files/latum.pdf
    • https://cdn.shopify.com/s/files/1/0433/7578/8184/files/josegejuz.pdf
    • https://cdn.shopify.com/s/files/1/0430/4021/1105/files/16709051725.pdf
    • https://cdn.shopify.com/s/files/1/0440/5251/2918/files/karuna_reiki.pdf
    • https://cdn.shopify.com/s/files/1/0432/3419/7666/files/xejanejokedaliwiwajozez.pdf
    • https://cdn.shopify.com/s/files/1/0429/7592/0282/files/microsoft_sql_commands.pdf
    • https://cdn.shopify.com/s/files/1/0430/9699/8048/files/19434233110.pdf
    • https://cdn.shopify.com/s/files/1/0428/6332/9446/files/20102596851.pdf
    • https://cdn.shopify.com/s/files/1/0434/3624/5144/files/37464032184.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e7c.bin
39547a3cf941eaa190d99a8a3ab6d64b73ba2058dc014fccc354132f4cd09db1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E7C 5056 bytes
font_01_sfnt_off00005f93.bin
ce2d6257c8b84893694975285da4d31234da0e9f65c5b2018bd190b4f2d1e114		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F93 9996 bytes
font_02_sfnt_off0000820e.bin
fde2dc7fe564c9fb2442a497639645e79a7e6adec832009ef78f86df68da3a40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x820E 2944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.