Malicious PDF — malware analysis report

Static analysis result for SHA-256 c14327252748acd5…

MALICIOUS

PDF

69.3 KB Created: 2020-09-01 02:01:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a0774fbcaa75fe5af9bbdf69788f201 SHA-1: 977b5f3b3830a2c4c7da95e2f08416011ae01d13 SHA-256: c14327252748acd538df321f87f4107e5fb66b7feb24d1da3b5f4990f3085191
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. Additionally, it exhibits a PDF link farm behavior, with numerous links hosted on cdn.shopify.com, some of which are generated for SEO purposes. The document body, though heavily obfuscated, contains the same malicious URL. The primary attack vector appears to be social engineering, directing users to a malicious site under the guise of an online form.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=online+form+of+ignou
    • https://cdn.shopify.com/s/files/1/0429/6641/7571/files/22980256226.pdf
    • https://cdn.shopify.com/s/files/1/0431/8180/1629/files/google_play_store_for_iphone.pdf
    • https://cdn.shopify.com/s/files/1/0431/4411/8423/files/62573315555.pdf
    • https://cdn.shopify.com/s/files/1/0431/1482/3844/files/computer_keyboard_information_in_marathi.pdf
    • https://cdn.shopify.com/s/files/1/0436/9966/7099/files/minarufasenasot.pdf
    • https://cdn.shopify.com/s/files/1/0433/5940/4191/files/maniac_magee.pdf
    • https://cdn.shopify.com/s/files/1/0429/5393/2966/files/39217594213.pdf
    • https://cdn.shopify.com/s/files/1/0430/0367/4785/files/jupivakaxup.pdf
    • https://cdn.shopify.com/s/files/1/0440/6067/2165/files/modern_furniture_design_book.pdf
    • https://cdn.shopify.com/s/files/1/0436/7787/6377/files/chamma_chamma_video_songs_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/5217/9364/files/41528621293.pdf
    • https://cdn.shopify.com/s/files/1/0433/9607/1578/files/minecraft_house_mod.pdf
    • https://cdn.shopify.com/s/files/1/0433/9033/7182/files/fidanuxupidob.pdf
    • https://cdn.shopify.com/s/files/1/0431/6980/8550/files/time_conjunctions_year_3_worksheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000aeeb.bin
7ad50e2f1236c361ffb61f5d661a6633930a29b621084efdbc87fae8eb47aad4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAEEB 4724 bytes
font_01_sfnt_off0000beef.bin
8765cf0b88b7f92a5d87d8e610edc7e529533df6fb0fce5fdf83ca8a84c2684e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBEEF 10456 bytes
font_02_sfnt_off0000e2dc.bin
e296a61d2d303e35be9e1a35631556663d2780498efa7e8f3867bf557f172fe6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2DC 16164 bytes
font_03_sfnt_off0000f82f.bin
60891ee1a45723ab0a5fba98912b8ccbfe0a9d6784e218fdafad74978f3dccb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF82F 3968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.