Malicious PDF — malware analysis report

Static analysis result for SHA-256 85136071d521cbf2…

MALICIOUS

PDF

46.3 KB Created: 2020-08-23 18:27:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3c7ab2eb45379743fe39a55dda59829 SHA-1: ced0f51b8ffa9579d4f2467b94402560d037afc7 SHA-256: 85136071d521cbf268662a4beaaed03d59cf52296a6cb3b72c759ff38343947e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=bean+movie++in+tamil'. The document body also contains this URL, suggesting it is the primary lure. While no scripts were explicitly extracted, the nature of the redirector implies an attempt to lead the user to a malicious site, likely for phishing or to download a second-stage payload. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bean+movie++in+tamil
    • http://xipekal.gibelin.eu/uploads/1/3/1/3/131379510/3b61b280.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0427/4513/5260/files/vizakumarerivobod.pdf
    • https://cdn.shopify.com/s/files/1/0434/1923/8562/files/wikejasovoketukajoraxir.pdf
    • https://cdn.shopify.com/s/files/1/0439/1344/5544/files/come_trasformare_centimetri_in_metri.pdf
    • https://cdn.shopify.com/s/files/1/0464/5647/1720/files/google_chrome_per_ubuntu_32_bit.pdf
    • https://cdn.shopify.com/s/files/1/0428/6211/7031/files/vebovege.pdf
    • https://cdn.shopify.com/s/files/1/0431/6289/4485/files/77119273241.pdf
    • https://cdn.shopify.com/s/files/1/0438/2071/2098/files/new_movies_app_apk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c26.bin
dc040caf2469ed5366c96362fde41013744e668b7059c4c4ce84123c8bfcd42c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C26 4668 bytes
font_01_sfnt_off00005bf3.bin
866569f7ea275f16485b3f25f767980ad47d1e0047ac6cd1a5fec3ee4a140a09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BF3 11332 bytes
font_02_sfnt_off00007973.bin
d873de473ecc791ae6f62a6845098a774ff8a7500b42013f0214734b3b1e23d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7973 4456 bytes
font_03_sfnt_off00008940.bin
fad38806c097d5ad2518cd9d44e5859c32eec19f8d1e26a6d81f7178132ff39b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8940 10160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.