Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fc3d63b64539ef5…

MALICIOUS

PDF

171.0 KB Created: 2020-08-21 15:48:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17f8ceecbb4a1453fb8eac253e126670 SHA-1: 287c421f71f57155f7fb1447d0025075121b9b33 SHA-256: 9fc3d63b64539ef5a61114cafb74c50a1cdb4a3e58dd87ef2c1895dd69047c32
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier and contains a critical heuristic indicating a link to known malicious redirector infrastructure. The embedded URL, 'https://ttraff.ru/pify?keyword=greenhouse+effect+information+wikipedia', is presented within the document body, suggesting a lure to trick users into clicking it. The document's content appears to be obfuscated or corrupted, but the presence of the malicious URL is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=greenhouse+effect+information+wikipedia
    • http://files.yogalotuspond.com/uploads/1/3/0/8/130874431/6ed023ad6e5ece7.pdf
    • https://cdn.shopify.com/s/files/1/0435/0682/7428/files/mercury_optimax_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/2439/2087/files/fulotekab.pdf
    • https://cdn.shopify.com/s/files/1/0430/0754/1401/files/duxumosurazavi.pdf
    • https://cdn.shopify.com/s/files/1/0434/0531/2156/files/23365372725.pdf
    • https://cdn.shopify.com/s/files/1/0430/7373/2768/files/vegebamemike.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/25424470269.pdf
    • https://cdn.shopify.com/s/files/1/0437/6104/1569/files/faderuzemosada.pdf
    • https://cdn.shopify.com/s/files/1/0433/0219/1269/files/givogufupe.pdf
    • https://cdn.shopify.com/s/files/1/0430/8549/6482/files/rezefik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000264df.bin
dc5b9943bc1faa701acc0663dd6adf327764bd0948e6d4f2c4c8dcc496fa1aa8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x264DF 5548 bytes
font_01_sfnt_off000277a1.bin
50efd11339ac1ca7ff3fe60c52182ba8e552758331c38399e1f831bdb2aa238e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x277A1 11928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.