Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd24b2af220e106a…

MALICIOUS

PDF

67.3 KB Created: 2020-08-12 16:28:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1dbfc9c7793a15df06b2c88d67780d17 SHA-1: bc49f03c066d1d2a9c6f63963b0d61a099b0242c SHA-256: bd24b2af220e106a55fac95e83e1cbec6bd21e6aa4e56e980ca5935bbcfc15dc
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded URLs, forming a link farm. One of these URLs, https://ttraff.cc/pify?keyword=durga+saptashati+pdf+telugu, is identified as a malicious redirector. This suggests the document's primary purpose is to lure users to malicious sites, likely for phishing or to download further malware. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=durga+saptashati+pdf+telugu
    • http://files.rainbowschoolmn.org/uploads/1/3/1/6/131606878/gulifefejalux.pdf
    • http://worenokop.youngworlddayschool.org/uploads/1/3/1/6/131637016/suvobawusonav.pdf
    • http://files.getfireworksdelivered.com/uploads/1/3/1/1/131164176/nidafu_gogokibu_boxikobodil_xenudovana.pdf
    • http://rajosewop.kimberlyandersonritchie.com/uploads/1/3/0/9/130969723/f62fe6f71.pdf
    • http://pusox.aklcbc.org/uploads/1/3/2/6/132681231/4106420.pdf
    • https://cdn.shopify.com/s/files/1/0432/2515/3698/files/vejegubi.pdf
    • https://cdn.shopify.com/s/files/1/0428/4976/3487/files/35407289040.pdf
    • https://cdn.shopify.com/s/files/1/0448/0860/1762/files/characteristics_of_product_life_cycle.pdf
    • https://cdn.shopify.com/s/files/1/0429/2929/1427/files/test_psicologico_del_arbol_casa_y_persona.pdf
    • https://cdn.shopify.com/s/files/1/0428/9059/2422/files/future_stick_talk_mp3_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/6680/9765/files/58263259713.pdf
    • https://cdn.shopify.com/s/files/1/0437/7188/7767/files/10403107110.pdf
    • https://cdn.shopify.com/s/files/1/0429/5370/3590/files/3469256779.pdf
    • https://cdn.shopify.com/s/files/1/0430/8362/8708/files/definicion_de_actitud_negativa.pdf
    • https://cdn.shopify.com/s/files/1/0431/7567/4014/files/66798588452.pdf
    • https://cdn.shopify.com/s/files/1/0430/5757/8138/files/data_structures_and_algorithms_in_swift_raywenderlich.pdf
    • https://cdn.shopify.com/s/files/1/0431/8858/4605/files/nabogeluze.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f61.bin
dcaf20638c5e641a9b8c87f000fb44afc824563451af55ec74ce9636b49ca296		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F61 5300 bytes
font_01_sfnt_off00007169.bin
ff8289fcab20b7b81f5dc7c47458689637225d7099c48932a46d6898d6123f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7169 2656 bytes
font_02_sfnt_off00007c70.bin
18b250f24057ce91e4a59b25c1eec79fa8b4d7e2cb9f6c0de02c7e032a072fd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C70 2328 bytes
font_03_sfnt_off00008726.bin
a63f067c524b53c6c5baf22e296657236408905476369aebd608429cc0903b46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8726 29736 bytes
font_04_sfnt_off0000c57c.bin
b842e402390b30e24378d5f8b17418c84cdafc149ff9019b5fd113da59bd4b5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC57C 14120 bytes
font_05_sfnt_off0000f0f8.bin
190ac0db8f78cd8fcf422397478b27140b8533199913ec670c089a76cf0db358		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0F8 2960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.