Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0e5de9e74984133…

MALICIOUS

PDF

168.7 KB Created: 2020-08-23 09:44:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 31f0dd93ac0eb68cb0aefe5f41595cb0 SHA-1: 39f8bdfc0123da793300038bf6dd7cc46fc1a6cf SHA-256: c0e5de9e74984133a7452b51c0d1fe8f68d8f3113251105d39fed868be394d48
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier and contains a link to a known malicious redirector infrastructure. The embedded URL `https://ttraff.com/pify?keyword=3.+5+cleric+domain+guide` is the primary indicator of malicious intent. The document body appears to be malformed or heavily obfuscated, preventing a clear understanding of its content beyond the presence of the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=3.+5+cleric+domain+guide
    • http://files.exploreandreconnect.com/uploads/1/3/1/3/131381241/rufovotinito_xalixuzovudu_dexegutit.pdf
    • http://files.integrativehealthohio.com/uploads/1/3/0/7/130738769/ladiranulewozuma.pdf
    • https://cdn.shopify.com/s/files/1/0430/2965/9797/files/muwezepigeji.pdf
    • https://cdn.shopify.com/s/files/1/0429/0668/1497/files/sajezufum.pdf
    • https://cdn.shopify.com/s/files/1/0432/7076/6750/files/80202893110.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/65069223210.pdf
    • https://cdn.shopify.com/s/files/1/0440/6693/0840/files/bojanijewufutobitiwedarug.pdf
    • https://cdn.shopify.com/s/files/1/0435/3903/8359/files/tezejumidajirot.pdf
    • https://cdn.shopify.com/s/files/1/0428/3239/6447/files/12475939446.pdf
    • https://cdn.shopify.com/s/files/1/0430/6147/7527/files/54426528386.pdf
    • https://cdn.shopify.com/s/files/1/0438/2500/4706/files/avg_internet_security_2016_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/1983/7345/files/makabuzoradiwi.pdf
    • https://cdn.shopify.com/s/files/1/0436/0595/0626/files/88541185154.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002542f.bin
df5315547fd341ba6d0fea593bdb90a3e36eca2e7c041efe5e4a0857b72282b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2542F 5304 bytes
font_01_sfnt_off00026610.bin
e1586c0f3784c254b55f4301103bce5a5b9595b3fb1e5011efbd0ef2499a9f2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26610 15268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.