Malicious PDF — malware analysis report

Static analysis result for SHA-256 8390f2b3cf1fde43…

MALICIOUS

PDF

177.7 KB Created: 2020-08-18 22:17:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 159391459240fc951e558c7b8de5f807 SHA-1: f1589ffd65dbad1784372e45e630c677ea5b80a0 SHA-256: 8390f2b3cf1fde436518f1b4951ef47009df1a3eec9e8db3b25e7f07af775fd7
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=aparichitudu+cinema+songs'. The document body, though heavily obfuscated, contains this URL, suggesting the file's primary purpose is to lure users to this malicious site. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9962

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=aparichitudu+cinema+songs
    • http://kulaju.ballardbanjers.com/uploads/1/3/1/3/131398540/634ed2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0431/3199/4280/files/english_to_urdu_vocabulary_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/2739/7797/files/si_joint_stretches.pdf
    • https://cdn.shopify.com/s/files/1/0430/2739/8807/files/26789722552.pdf
    • https://cdn.shopify.com/s/files/1/0431/2052/5476/files/29529541313.pdf
    • https://cdn.shopify.com/s/files/1/0430/6767/0689/files/committee_meeting_notice_template.pdf
    • https://cdn.shopify.com/s/files/1/0430/7088/1946/files/4191940244.pdf
    • https://cdn.shopify.com/s/files/1/0434/3581/9173/files/87151902173.pdf
    • https://cdn.shopify.com/s/files/1/0434/7727/0692/files/5815185758.pdf
    • https://cdn.shopify.com/s/files/1/0429/3296/1443/files/vegarufu.pdf
    • https://cdn.shopify.com/s/files/1/0437/4052/8792/files/fixifajajutaresabebune.pdf
    • https://cdn.shopify.com/s/files/1/0436/0149/4179/files/html_to_javascript.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00021e93.bin
8677f9b8e7a180ba64b1087708eca898f33073d8eb0a51503191550c965fb411		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21E93 5328 bytes
font_01_sfnt_off00023074.bin
19332c948c032299046802407d5d4ab3990c6946b0936b3e34b9d8c30e99cd77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23074 11288 bytes
font_02_sfnt_off00024dae.bin
508869ad2beceb3a64e2523255069d13da9e4d0e9ee38dbfc24254bb99de19fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24DAE 16028 bytes
font_03_sfnt_off00027fdc.bin
ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27FDC 16164 bytes
font_04_sfnt_off000294f5.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x294F5 4324 bytes
font_05_sfnt_off0002a2f6.bin
20066f44af4142f2c8678e4976c446682a737d37bfdea8351324ed6004fc5bab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A2F6 5968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.