Malicious PDF — malware analysis report

Static analysis result for SHA-256 891546e8be20c4ac…

MALICIOUS

PDF

125.0 KB Created: 2020-08-10 06:28:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 254d313d0f7328bbeae54387c2e88cfd SHA-1: ebe0b28fa317e173e97abc38d6d2fa5261db6c06 SHA-256: 891546e8be20c4ac9c51a7795232fc837b08ca2744f8854277dbb2e889cf4fee
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL, https://ttraff.com/pify?keyword=english+brushup+5th+edition+pdf+free, is designed to lure users into downloading content, likely leading to a phishing or malware distribution site. The document body, though heavily obfuscated, contains references to this malicious URL and other benign-looking Shopify links, suggesting a deceptive lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9958

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=english+brushup+5th+edition+pdf+free
    • http://files.herbaculture.org/uploads/1/3/1/3/131383720/toxilowexibepesapi.pdf
    • http://files.renevelarde.net/uploads/1/3/1/6/131606431/87142fe.pdf
    • http://files.now-hope.org/uploads/1/3/1/4/131409009/pawaram.pdf
    • http://tosiji.mackaychocolatebouquets.com.au/uploads/1/3/1/3/131380213/8902773.pdf
    • http://nukimerip.msjchem.com/uploads/1/3/2/7/132740873/xidolozeg.pdf
    • https://cdn.shopify.com/s/files/1/0433/9784/1054/files/28961070020.pdf
    • https://cdn.shopify.com/s/files/1/0435/3071/5288/files/84384961580.pdf
    • https://cdn.shopify.com/s/files/1/0435/1341/3786/files/bendigo_bank_term_deposit_rates.pdf
    • https://cdn.shopify.com/s/files/1/0430/8425/1285/files/fake_college_acceptance_letter.pdf
    • https://cdn.shopify.com/s/files/1/0439/8071/8238/files/dns_server_unavailable.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tizerosotusalasebix.pdf
    • https://cdn.shopify.com/s/files/1/0431/4939/4080/files/pfsense_freenas_jail.pdf
    • https://cdn.shopify.com/s/files/1/0433/1785/4373/files/48807190132.pdf
    • https://cdn.shopify.com/s/files/1/0439/0633/4888/files/3494321508.pdf
    • https://cdn.shopify.com/s/files/1/0430/4892/7386/files/56960064629.pdf
    • https://cdn.shopify.com/s/files/1/0436/9163/8934/files/xetuvijego.pdf
    • https://cdn.shopify.com/s/files/1/0429/9456/5271/files/wevonugasenuwofatefomax.pdf
    • https://cdn.shopify.com/s/files/1/0435/9382/6467/files/zumowabuwirukazipapo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0001262a.bin
69df7c9faf7511ece004a981dcfb9ddafc1f38e111b28399d5ed84b0c38eaaa6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1262A 11520 bytes
stream_009_off00018497.bin
0daeac68262450823d5589a4dd000c2442dd8b039c87ab202cdc4882dc28b8a8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18497 30880 bytes
font_00_sfnt_off0000bd69.bin
30c747c37f277412cea3ca029775b71a1bbf7889be097bd20cd909184c21bc33		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD69 24256 bytes
font_01_sfnt_off00010abd.bin
37c312447a992fee30a7ba18101e2e8522df44bbe6111925dfbf1a16b4b34954		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10ABD 5196 bytes
font_02_sfnt_off00011c52.bin
7d52a69efacf94308061ddcc7f5e4480d44ba60ac9b19c81a3efa62dad374059		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C52 2188 bytes
font_04_sfnt_off000146a6.bin
4f0b0bb950f3618d28bcdb0318fd5694e4eab8a525025eb31e1a70765fc0b828		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146A6 21684 bytes
font_06_sfnt_off0001bb46.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BB46 4324 bytes
font_07_sfnt_off0001c946.bin
8b2d1158fdb4f9413a27e88b9af7a2bbcd9328a4227587e2a95fde3c0cdbbf4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C946 7904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.