Malicious PDF — malware analysis report

Static analysis result for SHA-256 920945a4c98c9c76…

MALICIOUS

PDF

55.3 KB Created: 2020-08-19 17:22:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e5b95e4f1181655c6dc14ac228f9f51c SHA-1: 9ab0b0c72d9a151588fa737f187e6677539a7598 SHA-256: 920945a4c98c9c76a590cff734dadf2ce0aa0ea34c6891e39a6deb1589013fdc
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.ru/pify?keyword=would+you+please+answer+the+following+questions`. Additionally, the PDF is identified as a link farm, with numerous links to external PDFs, many hosted on `cdn.shopify.com` and other domains. The ML classifier strongly flagged this PDF as malicious. The document body, though partially corrupted, contains the same redirector URL and a generic prompt, suggesting a lure to trick users into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=would+you+please+answer+the+following+questions
    • http://xexugob.rutgerscki.org/uploads/1/3/1/6/131637136/lilobawunena-wakufozaga-melopamidow-paxefipezofamos.pdf
    • http://files.erspamermusic.com/uploads/1/3/1/4/131437924/d0b1f051778.pdf
    • http://files.raymondwoodward.com/uploads/1/3/1/6/131637307/399d70d9f118c.pdf
    • https://cdn.shopify.com/s/files/1/0427/6980/9575/files/jelefekudesatil.pdf
    • https://cdn.shopify.com/s/files/1/0431/0604/2013/files/44945563604.pdf
    • https://cdn.shopify.com/s/files/1/0435/6413/8651/files/45026618311.pdf
    • https://cdn.shopify.com/s/files/1/0453/8662/9288/files/part_time_employment_contract_template_malaysia.pdf
    • https://cdn.shopify.com/s/files/1/0437/8938/5879/files/bts_we_are_bulletproof_song.pdf
    • https://cdn.shopify.com/s/files/1/0436/9701/2890/files/wukidabaxeju.pdf
    • https://cdn.shopify.com/s/files/1/0436/9602/9864/files/87540881656.pdf
    • https://cdn.shopify.com/s/files/1/0433/6104/2591/files/minecraft_gun_texture_pack.pdf
    • https://cdn.shopify.com/s/files/1/0430/5479/2866/files/93945016386.pdf
    • https://cdn.shopify.com/s/files/1/0430/8631/5682/files/xedavevogexemudutozuwejar.pdf
    • https://cdn.shopify.com/s/files/1/0440/3209/8469/files/blueprints_neurology.pdf
    • https://cdn.shopify.com/s/files/1/0433/4151/2855/files/81712398054.pdf
    • https://cdn.shopify.com/s/files/1/0432/8783/8886/files/45680855278.pdf
    • https://cdn.shopify.com/s/files/1/0430/1311/1961/files/3579680308.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000089d9.bin
fee0fba1fefc6c657a3f8f8258667829dc42136c3b97a8eca2c3c5f9d9e1586b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89D9 4288 bytes
font_01_sfnt_off0000990b.bin
02bf5abb7139f22d8387b1c5f8f28baa22fc82c78b0ce6d64987a33f4154ead7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x990B 5636 bytes
font_02_sfnt_off0000ac53.bin
f532e890980ea5488365b66d6ca9ab836c0207e34dc35f7c5a85cefd29415629		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC53 10300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.