Malicious PDF — malware analysis report

Static analysis result for SHA-256 85a1cb7660720526…

MALICIOUS

PDF

65.4 KB Created: 2020-08-27 15:00:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82f16754c0139f8d2d07b5a1b4e8b606 SHA-1: 1ae23e1345fce7250bd2318de3d8a136fe2aaec1 SHA-256: 85a1cb766072052624d727b9d13eda9190694089f0e9ce4a20a2f854d56aa785
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, with a critical heuristic identifying a link to known malicious redirector infrastructure at 'https://ttraff.ru/pify?keyword=revolutionary+army+one+piece'. Another heuristic indicates a PDF link farm, suggesting SEO manipulation or a large-scale distribution effort. The document also contains a lure for clipboard command execution, indicating an attempt to trick users into running malicious commands.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=revolutionary+army+one+piece
    • http://budalunof.hydrologicsportfishing.com/uploads/1/3/0/7/130738667/4172698.pdf
    • http://files.alignwellnesscare.com/uploads/1/3/1/3/131379732/b482ac7b.pdf
    • http://files.deperehistory.org/uploads/1/3/0/7/130739780/tilekuxepebuk-borezes-mizedixax.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0435/6741/5457/files/scrivener_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0435/0961/2712/files/learning_computer_security.pdf
    • https://cdn.shopify.com/s/files/1/0437/1018/5637/files/strengthening_families_program.pdf
    • https://cdn.shopify.com/s/files/1/0433/9056/6556/files/gmat_verbal_review.pdf
    • https://cdn.shopify.com/s/files/1/0431/6764/5857/files/92752639466.pdf
    • https://cdn.shopify.com/s/files/1/0449/8161/6808/files/sample_answer_to_defamation_complaint_california.pdf
    • https://cdn.shopify.com/s/files/1/0461/8885/5459/files/csop_ftse_china_a50_etf_fact_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0429/5095/1066/files/kipafunizemuwanoruxaxo.pdf
    • https://cdn.shopify.com/s/files/1/0436/2086/0064/files/23762170664.pdf
    • https://cdn.shopify.com/s/files/1/0430/3169/1421/files/56318705990.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b817.bin
b10c51a91132d65ee339c6eb3480c918eca1c945915505ef98e34c6fbd0f799f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB817 3396 bytes
font_01_sfnt_off0000c426.bin
472246beaefd8cc34de6467ad53d45b4131bd4f6e5ef88af03fc29f6e84514fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC426 5072 bytes
font_02_sfnt_off0000d561.bin
779642f6649ee2214e64aedb0ed856d63c865c9cd5edc2fe8d8c42b776c6fdaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD561 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.