Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a6bdbbf5fc54a55…

MALICIOUS

PDF

35.8 KB Created: 2020-08-22 05:12:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 31069ad8a68c67c0e1b56e717cbd197c SHA-1: 40bacbaf72502bd5b1d54f3b73d02b026005b204 SHA-256: 8a6bdbbf5fc54a55ff303a56b77444f42d8ae4c40e134753c4326f3b22cee847
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document exhibits characteristics of a link farm, embedding numerous external links. One critical heuristic identified a link to a known malicious redirector service, ttraff.com, which likely serves to obscure the ultimate malicious destination. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the extensive linking strategy suggests a delivery mechanism for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=malayala+manorama+e+weekly+pdf
    • http://files.stephanie-hixon.com/uploads/1/3/0/8/130813829/9332440.pdf
    • https://cdn.shopify.com/s/files/1/0438/7930/1288/files/muslim_boy_name_list.pdf
    • https://cdn.shopify.com/s/files/1/0431/7678/8117/files/8486192537.pdf
    • https://cdn.shopify.com/s/files/1/0430/0704/9877/files/speaky_apk_for_pc.pdf
    • https://cdn.shopify.com/s/files/1/0457/7093/2390/files/marfan_syndrome_guideline_management.pdf
    • https://cdn.shopify.com/s/files/1/0431/2937/2832/files/viduzerodifuxulonagugu.pdf
    • https://cdn.shopify.com/s/files/1/0433/1801/8203/files/78705773756.pdf
    • https://cdn.shopify.com/s/files/1/0428/4180/0860/files/bazujopapajumeg.pdf
    • https://cdn.shopify.com/s/files/1/0465/2888/8982/files/56782225369.pdf
    • https://cdn.shopify.com/s/files/1/0433/4632/9750/files/52915097291.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004bf6.bin
f267dc97b88e5a5fb5e646f4e8311af1ba70895c658e1def7163818dce645152		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BF6 5272 bytes
font_01_sfnt_off00005dee.bin
589152d5f7b5a03afb76e4142dc6c3fc36436127c3e27dd7c80e53f7b178da9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DEE 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.