Malicious PDF — malware analysis report

Static analysis result for SHA-256 88faa145c10c0322…

MALICIOUS

PDF

111.3 KB Created: 2020-08-19 08:45:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f980548c5bb11f790275e7df25f3ac16 SHA-1: 3978d92f652683cc960cdd5c52f1e7c0c2f18b0c SHA-256: 88faa145c10c03223657480317408c3c8cf6da465a2b3ff25ddf0b6317eaac46
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to known malicious infrastructure. The embedded URL https://ttraff.ru/pify?keyword=how+to+use+dope+sheet+maya is the primary indicator of this malicious redirection. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same URL, reinforcing its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=how+to+use+dope+sheet+maya
    • http://files.sjaart.ca/uploads/1/3/1/3/131382595/2313353.pdf
    • http://files.cranberryhobbit.com/uploads/1/3/1/3/131379894/ba21425f73e13.pdf
    • http://files.simamartialarts.com/uploads/1/3/2/3/132303012/96d327f427f67.pdf
    • http://ridafiwas.genesis-park.com/uploads/1/3/0/8/130874012/sonaxakalus.pdf
    • https://cdn.shopify.com/s/files/1/0431/5843/8056/files/19746967784.pdf
    • https://cdn.shopify.com/s/files/1/0438/7173/1880/files/pefuwefuzubaninivaw.pdf
    • https://cdn.shopify.com/s/files/1/0431/1210/4103/files/actionscript_adobe_flash.pdf
    • https://cdn.shopify.com/s/files/1/0430/8421/8521/files/57205641669.pdf
    • https://cdn.shopify.com/s/files/1/0431/1678/9927/files/4585731140.pdf
    • https://cdn.shopify.com/s/files/1/0432/7263/4533/files/febinugi.pdf
    • https://cdn.shopify.com/s/files/1/0431/3972/7509/files/17222794194.pdf
    • https://cdn.shopify.com/s/files/1/0434/8251/3561/files/sodium_bromide_msds.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000176de.bin
f505111964750619e390fad3830d833a1b14ac9eef8e9c0d790f9c7a38cdf23c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x176DE 5228 bytes
font_01_sfnt_off00018899.bin
333e36eae6e12d5e2ab2a4ccb77e949a40d0f0049fed066cbe6ba33b3b53c2e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18899 12260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.