Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9f6a663c2b11f68…

MALICIOUS

PDF

47.6 KB Created: 2020-08-12 06:57:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d0b08c95ad70a24d5996c1943bd69045 SHA-1: 115e36769b5f50d8a9844178b5df8f598cc11887 SHA-256: b9f6a663c2b11f68ee730a6c8e4dbc18d1137a287f59740f6d187552834446be
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many pointing to benign Shopify domains, but one critical link directs to a known malicious redirector at `ttraff.ru`. This suggests the document is designed to lead users to malicious content, likely for phishing or malware distribution. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=technical+analysis+of+financial+markets+murphy+pdf
    • http://wunasulas.meganphibbons.com/uploads/1/3/1/6/131636612/sufoxiwonani.pdf
    • http://files.gardenspotrentals.net/uploads/1/3/2/6/132681938/finefenusavat.pdf
    • http://senolina.newcanaanpizzaandtaqueria.com/uploads/1/3/1/1/131164250/malapilusekobok-wumalotave.pdf
    • http://files.ipoopedinthewoods.com/uploads/1/3/2/7/132740951/1499587.pdf
    • http://files.chapstickdiaries.com/uploads/1/3/1/8/131856333/9026f.pdf
    • https://cdn.shopify.com/s/files/1/0438/6829/1227/files/87911891422.pdf
    • https://cdn.shopify.com/s/files/1/0431/0892/5602/files/gisawovimolusiduxosewale.pdf
    • https://cdn.shopify.com/s/files/1/0436/5107/2158/files/bickerstaff_neurological_examination_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/9276/3039/files/28_day_jumpstart_challenge_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/2072/2080/files/telibepesenux.pdf
    • https://cdn.shopify.com/s/files/1/0430/3791/7345/files/labopalaxiberovubigaxej.pdf
    • https://cdn.shopify.com/s/files/1/0432/6971/8172/files/98911049278.pdf
    • https://cdn.shopify.com/s/files/1/0431/8278/4676/files/jewujemidizubof.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/45484104345.pdf
    • https://cdn.shopify.com/s/files/1/0447/5600/9111/files/effective_speaking_skills.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000651c.bin
d4f2d5bfc33f2a2d80f98a21f455a679462d29e932525d774713205f01047838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x651C 5512 bytes
font_01_sfnt_off000077a9.bin
813669445982cb7187169781be9a699c8f0b7e73c8a6368e5948ae72606340a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77A9 10156 bytes
font_02_sfnt_off00009aa6.bin
49230a07578f2a0b108554ff1d47b1cb24b8f8081254bad551c0ce72ea05e0a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AA6 16544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.