Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d2dda3237f5b858…

MALICIOUS

PDF

32.6 KB Created: 2020-08-18 17:56:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 329d43bcda1d25ab12fe376a08fa3e2c SHA-1: 531ea9ad16dc99f945d92f013d11041c492fec63 SHA-256: 8d2dda3237f5b8588135e4fce3e45d66fbe80ea800f4a0403c4a77d52270cef3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a significant number of external links, identified as a link farm. One of these links, 'https://ttraff.cc/pify?keyword=road+ambience+sound+effects+free', points to known malicious redirector infrastructure. The document body is heavily obfuscated and contains what appears to be junk data, but the embedded URL is clearly visible. The primary purpose appears to be redirecting users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=road+ambience+sound+effects+free
    • http://files.airplanemusicgroup.com/uploads/1/3/1/6/131636969/39f19.pdf
    • https://cdn.shopify.com/s/files/1/0437/0844/8922/files/remisirotonikerejoxuf.pdf
    • https://cdn.shopify.com/s/files/1/0429/8981/3909/files/26791089338.pdf
    • https://cdn.shopify.com/s/files/1/0440/0090/3318/files/gufivetegefoli.pdf
    • https://cdn.shopify.com/s/files/1/0430/0292/1111/files/origin_and_evolution_of_bryophytes.pdf
    • https://cdn.shopify.com/s/files/1/0431/0843/4081/files/jivolerozotosibe.pdf
    • https://cdn.shopify.com/s/files/1/0437/6405/6225/files/laboratory_safety_rules_poster.pdf
    • https://cdn.shopify.com/s/files/1/0428/2292/6492/files/dorenodusaf.pdf
    • https://cdn.shopify.com/s/files/1/0450/4082/8566/files/rekajud.pdf
    • https://cdn.shopify.com/s/files/1/0438/2107/2546/files/analytical_mechanics_of_space_systems_3rd_edition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000042b5.bin
712fae141f3ec7315158e4d40a18928ee120649e0d10f2bded3af7e226e3f399		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42B5 5284 bytes
font_01_sfnt_off00005497.bin
afc918ac423873544e537112bdd1cc8acc563c82d22a21d1427c7d45b08149f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5497 9684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.