Malicious PDF — malware analysis report

Static analysis result for SHA-256 935bba9d1c227de1…

MALICIOUS

PDF

46.2 KB Created: 2020-08-26 04:03:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 38532a566fd52366da7bdf5957edbc66 SHA-1: c49a7ec5f94e98a190432dce77c33d7feca9a0ae SHA-256: 935bba9d1c227de11f3682e780ffde3edb64eb709ebe9aa32f74636ca51e06b0
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The primary malicious URL, https://ttraff.me/pify?keyword=journal+de+th%25C3%25A9rapie+comportementale, is directly embedded and likely serves as the initial lure. While no scripts were extracted, the presence of this malicious URL strongly suggests a phishing or malware distribution attempt. The document body, though heavily corrupted, contains fragments of the URL and benign-looking text, which is a common tactic to disguise malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=journal+de+th%25C3%25A9rapie+comportementale
    • http://mazufuxud.annarbortreeservice.net/uploads/1/3/1/4/131406893/2930818.pdf
    • https://cdn.shopify.com/s/files/1/0433/9266/3702/files/mofibajuxuketamo.pdf
    • https://cdn.shopify.com/s/files/1/0432/3983/3763/files/modo_marble_monopoly.pdf
    • https://cdn.shopify.com/s/files/1/0430/0010/3073/files/tetadijitufofuxadatoma.pdf
    • https://cdn.shopify.com/s/files/1/0467/9906/1141/files/mount_blade_serial_key.pdf
    • https://cdn.shopify.com/s/files/1/0433/6012/5080/files/35852434257.pdf
    • https://cdn.shopify.com/s/files/1/0432/4104/6171/files/19695445240.pdf
    • https://cdn.shopify.com/s/files/1/0430/6193/6290/files/hidrocarburos_aromaticos_nomenclatura_iupac.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b89.bin
8fcd5330e7596429eb7c549ec33a7acbfda277e0bd598452454663fa59fc55d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B89 5148 bytes
font_01_sfnt_off00005c8f.bin
752b11cd82eb0ec2428cb36e1ae6d948ec72dd9132756ef0d983ddf45664ac38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C8F 13192 bytes
font_02_sfnt_off00008562.bin
48fb3e59171904aab07926dd58a1464fde7da279cdcbdb25530b5c59289c931f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8562 16488 bytes
font_03_sfnt_off00009ba9.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BA9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.