Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1888a89864d5cd1…

MALICIOUS

PDF

78.4 KB Created: 2020-08-03 06:22:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 16f5119c2f78689461849022e168d00f SHA-1: 49f786eb7a2aee2de98dc31591fcdae52bad7a74 SHA-256: c1888a89864d5cd1a14736a2b7697189202b1ac33b22c9c1791ce7458684083d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious by an ML classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. It also exhibits a PDF link farm with numerous external links, many pointing to Shopify domains, suggesting an attempt to obscure the true destination or leverage legitimate platforms for malicious purposes. The primary malicious URL identified is https://ttraff.ru/pify?keyword=the+king+2+hearts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=the+king+2+hearts
    • http://jobuj.win19.org/uploads/1/3/1/4/131453698/muxopinimijal_pikubobotaviz_reritifajegufif_voretamafukija.pdf
    • http://files.weiyuzhang.net/uploads/1/3/0/8/130874156/motus_narafepuj.pdf
    • http://miwidid.thewritingdragon.com/uploads/1/3/0/7/130775413/xumegexekemog-jubipe.pdf
    • https://cdn.shopify.com/s/files/1/0431/8406/2622/files/relations_discrete_math.pdf
    • https://cdn.shopify.com/s/files/1/0432/2073/0020/files/23450568989.pdf
    • https://cdn.shopify.com/s/files/1/0434/7035/6632/files/tibuvoporonapata.pdf
    • https://cdn.shopify.com/s/files/1/0432/5765/9547/files/hp_officejet_h470.pdf
    • https://cdn.shopify.com/s/files/1/0437/8561/7570/files/86200975461.pdf
    • https://cdn.shopify.com/s/files/1/0433/3145/3081/files/1585044058.pdf
    • https://cdn.shopify.com/s/files/1/0431/1416/8480/files/15828201624.pdf
    • https://cdn.shopify.com/s/files/1/0431/8904/3358/files/4062378680.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30899714004.pdf
    • https://cdn.shopify.com/s/files/1/0428/1548/8167/files/galapizawumirapikal.pdf
    • https://cdn.shopify.com/s/files/1/0433/2955/2552/files/the_twelve_kingdoms_anime.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mabiwabupo.pdf
    • https://cdn.shopify.com/s/files/1/0431/8163/7794/files/wotasusefotekuxaxapej.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000d432.bin
0881bb79f6d8b9be4c2e4dd682b29236a7988aa7b136140143c3f5e4b4f77bf9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD432 9424 bytes
font_00_sfnt_off00009907.bin
937e54013719cefbab0fe5d294cb2325aae7e364f9f491775e9967a23d4e40d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9907 14304 bytes
font_01_sfnt_off0000c440.bin
ca1b0214c9d257259e8e0d02011b4ddcab11297a1a3f8e3c63d8ffd713b3f84a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC440 4740 bytes
font_03_sfnt_off0000ef1a.bin
0bb9d33959a61f83646072ededfc2bd14d720cf48ab8140065161de75ac51b9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF1A 15084 bytes
font_04_sfnt_off00011db6.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DB6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.