Malicious PDF — malware analysis report

Static analysis result for SHA-256 888a3c82bf246286…

MALICIOUS

PDF

54.1 KB Created: 2020-08-12 04:19:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5eec817131a36b5cb24023383562f84b SHA-1: fa85181acf581066bdbacd48e0690c82fab84f5a SHA-256: 888a3c82bf246286288b92d1967662186feb099bd9fe90a496a7879032b46fa3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm for SEO manipulation or to host malicious content. One of these links, 'https://ttraff.com/pify?keyword=swami+kadambari+pdf+download', is flagged as a known malicious redirector. The presence of numerous PDF links and a malicious redirector indicates an attempt to distribute or redirect users to harmful content, likely as part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=swami+kadambari+pdf+download
    • http://xexatur.windermerepsychologycentre.net/uploads/1/3/2/6/132696414/xawejalorezafe.pdf
    • http://files.davidwbolton.com/uploads/1/3/2/6/132681783/pevapotiwevinez-kuwete-paxirixove.pdf
    • http://files.518nextlevel.com/uploads/1/3/1/3/131384249/bawam.pdf
    • http://watuniru.vtiise.com/uploads/1/3/1/8/131856462/4ede173.pdf
    • http://files.independentauthornetwork.com/uploads/1/3/0/7/130775462/sivexugan-futid-rikoxuleb-setijidejunoki.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0430/8706/9348/files/givexudogakilileruzokope.pdf
    • https://cdn.shopify.com/s/files/1/0434/9899/5878/files/adobe_acrobat_pro_dc_pack.pdf
    • https://cdn.shopify.com/s/files/1/0432/0441/1556/files/23210452642.pdf
    • https://cdn.shopify.com/s/files/1/0435/5896/1320/files/kabbalistic_numerology_and_the_mysteries_of_the_torah.pdf
    • https://cdn.shopify.com/s/files/1/0428/4986/1791/files/glencoe_pre-_algebra.pdf
    • https://cdn.shopify.com/s/files/1/0434/9621/0598/files/veruwedevosusezawuvulaba.pdf
    • https://cdn.shopify.com/s/files/1/0441/4432/8856/files/nurebowotelinun.pdf
    • https://cdn.shopify.com/s/files/1/0429/7441/2949/files/foxeravifotikolibaven.pdf
    • https://cdn.shopify.com/s/files/1/0436/0758/9027/files/43640496188.pdf
    • https://cdn.shopify.com/s/files/1/0436/1263/5299/files/mini_owners_lounge.pdf
    • https://cdn.shopify.com/s/files/1/0432/6152/6166/files/nuclear_throne_weapon_ids.pdf
    • https://cdn.shopify.com/s/files/1/0434/8595/4198/files/vivevusudetusetutiruvilon.pdf
    • https://cdn.shopify.com/s/files/1/0433/8266/9461/files/export_google_passwords.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cb2.bin
629123bfde0685c5f69bbdd27ec008bde0224d5c30af1dabb990f6ee33ea778e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CB2 6440 bytes
font_01_sfnt_off00006ca6.bin
8ffb2038474f94ff2dcbc2c0f94e8574171901f90ff93314470902dc1345a4d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CA6 5408 bytes
font_02_sfnt_off00007ef8.bin
3d01898e91c5734bd4bbac714ec895a8ca50b458a7ed865f8855ca94f7b0882f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EF8 2332 bytes
font_03_sfnt_off00008960.bin
e8a52488cf49b0aa1ef0d8935fa7d252eb77caddc8226f4a61937103bf5d73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8960 10300 bytes
font_04_sfnt_off0000ac74.bin
7498db86d6908c202cab759542be670539308530957c7997546c376b3e080af2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC74 9048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.