Malicious PDF — malware analysis report

Static analysis result for SHA-256 beb4fab4b30042dd…

MALICIOUS

PDF

56.4 KB Created: 2020-08-29 02:26:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21a18dce894659f78068907fedec4fd5 SHA-1: 0d77c4fe5ecb8c2699e4f64f2d75843108b3cdbd SHA-256: beb4fab4b30042dd98c861de4f0dd695dfadb06f8c57996ce66e13bd6e8dcc92
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of embedded links, many of which point to a link farm designed to improve search engine rankings. One prominent link, 'https://ttraff.ru/wix?keyword=dogar+aptitude+test+book+pdf+free+do', is identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'dogar aptitude test book pdf free do', reinforcing the lure. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=dogar+aptitude+test+book+pdf+free+do
    • https://cdn.shopify.com/s/files/1/0431/4896/8090/files/zipujutimebumiduv.pdf
    • https://cdn.shopify.com/s/files/1/0431/6135/4389/files/42752769505.pdf
    • https://cdn.shopify.com/s/files/1/0438/5567/5552/files/fikekeru.pdf
    • https://static.usrfiles.com/ugd/b8c837_e9df1785c73f44e180cbcac098638223.pdf
    • https://static.usrfiles.com/ugd/b8c837_ad78fa24dd2d46dcaa99271bdc585643.pdf
    • https://static.usrfiles.com/ugd/b8c837_6b480f452f2348129ee35258f6be9910.pdf
    • https://static.usrfiles.com/ugd/b8c837_c0e9143163c9454885a7afaced1de5c3.pdf
    • https://static.usrfiles.com/ugd/b8c837_250efd67a331445ab6d6eff729935873.pdf
    • https://static.usrfiles.com/ugd/b8c837_e78df294ef654ab2b940ce7421fba450.pdf
    • https://static.usrfiles.com/ugd/b8c837_f5460cc7602e41d99e72aed77dfeee8c.pdf
    • https://static.usrfiles.com/ugd/b8c837_15d5a2bcce5648acb1eb6306d6485cc6.pdf
    • https://static.usrfiles.com/ugd/b8c837_fafeba85272149c8a146bdad6c8026ef.pdf
    • https://static.usrfiles.com/ugd/b8c837_e810887798344cc2be36d688afd827bc.pdf
    • https://cdn.shopify.com/s/files/1/0429/1988/7001/files/1985_nba_finals.pdf
    • https://cdn.shopify.com/s/files/1/0432/6057/5908/files/memoir_44_campaign_book.pdf
    • https://cdn.shopify.com/s/files/1/0434/1848/4888/files/architecture_design_books.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000a6af.bin
3a98b42f8f83c54a427b8ce1b3d7b6dddabc12b49e8aaa78cdb8bc6f9ffc14f4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA6AF 25652 bytes
font_00_sfnt_off00006d7c.bin
0bdae5ca87937d167cdd01c078333fd8dd0d4de2b68aa1d5ea14eee799c461f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D7C 5380 bytes
font_01_sfnt_off00007fd8.bin
30588b0b0c00ce13b016e15618c79f99d2a3ed59c17ce1fb978654da585dc902		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FD8 11944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.