Malicious PDF — malware analysis report

Static analysis result for SHA-256 84ff07a1051fc9a2…

MALICIOUS

PDF

50.7 KB Created: 2020-08-05 09:11:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e7145a8d2be520ebabf479b45fbd144a SHA-1: 69b46e0bcdf96b7b06786728fb63ede4f4292977 SHA-256: 84ff07a1051fc9a2da05c286a8031c4710c1a2e3df6df57aeb7c7e579fad67aa
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded URLs that lead to a known malicious redirector, ttraff.com, which is designed to lure users into clicking through to potentially harmful content. The document body, though heavily obfuscated, contains text related to 'Adda247 puzzle and seating arrangement book pdf', suggesting a lure to trick users into downloading malicious content disguised as study material. The presence of numerous external PDF links, many pointing to Shopify, further indicates a link farm or SEO poisoning tactic to increase visibility and clicks.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=adda247+puzzle+and+seating+arrangement+book+pdf
    • http://files.soultrainchoir.com/uploads/1/3/0/8/130814043/wedisesofikilosemeni.pdf
    • http://files.outtahatha.com/uploads/1/3/1/4/131483491/palajusirenadux.pdf
    • http://files.windowsmanchester.com/uploads/1/3/0/8/130874680/zuxajut.pdf
    • https://cdn.shopify.com/s/files/1/0431/7364/2406/files/strong_hold_crusader_2_cheats.pdf
    • https://cdn.shopify.com/s/files/1/0432/6257/4750/files/21182585659.pdf
    • https://cdn.shopify.com/s/files/1/0432/3940/7784/files/22137296428.pdf
    • https://cdn.shopify.com/s/files/1/0437/9394/0641/files/22652807214.pdf
    • https://cdn.shopify.com/s/files/1/0435/9133/6099/files/65827382931.pdf
    • https://cdn.shopify.com/s/files/1/0438/5318/5174/files/70646417248.pdf
    • https://cdn.shopify.com/s/files/1/0427/4513/5260/files/wibozuvofizegagevosela.pdf
    • https://cdn.shopify.com/s/files/1/0435/0250/2054/files/1998_c280_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/6467/1904/files/81245351001.pdf
    • https://cdn.shopify.com/s/files/1/0432/6401/6539/files/mafisesivi.pdf
    • https://cdn.shopify.com/s/files/1/0431/7957/3408/files/cours_d_anglais_et_francais.pdf
    • https://cdn.shopify.com/s/files/1/0430/8510/3255/files/liveliduzufak.pdf
    • https://cdn.shopify.com/s/files/1/0433/8620/8406/files/aectp_250_edition_2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006812.bin
22246985f00559daad09adbdb2b3d0a255af3a7ac2e126f2fcbc7b001a89e16a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6812 5788 bytes
font_01_sfnt_off00007bb2.bin
a6e6e1d9338d1b91fe27e92dc7a7b52e168dbdf2d649fc5d85ccd4ca8d73dc22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BB2 3068 bytes
font_02_sfnt_off00008862.bin
d3e405cadd3e5b5177f2a2b8817c779f80c652e6906ed79aaf8203296d46b023		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8862 11748 bytes
font_03_sfnt_off0000aef8.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAEF8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.