Malicious PDF — malware analysis report

Static analysis result for SHA-256 c56559f416e61920…

MALICIOUS

PDF

101.1 KB Created: 2020-08-17 01:50:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d7947723a1a72887d8d80cc0128d6006 SHA-1: ef5c46e797169529d6f47849567420aec58abe3c SHA-256: c56559f416e61920b7eace5378de27df121445b4efb23c0630ad8e34c50f44dc
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass of external links, including a critical link to a known malicious redirector at 'https://ttraff.cc/pify?keyword=jeet+das+baul+gaan+dj'. The document body also contains this URL, suggesting it is the primary lure. The ML classifier strongly flagged this PDF as malicious. The presence of numerous Shopify links, including one pointing to 'copleston_history_of_philosophy_volume_1.pdf', indicates a potential attempt to blend malicious content with seemingly legitimate resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=jeet+das+baul+gaan+dj
    • http://jubafad.davidwestphotography.net/uploads/1/3/2/3/132302942/napeb.pdf
    • https://cdn.shopify.com/s/files/1/0431/4752/6293/files/copleston_history_of_philosophy_volume_1.pdf
    • https://cdn.shopify.com/s/files/1/0440/8688/6552/files/vedovovokoxanadepigevugil.pdf
    • https://cdn.shopify.com/s/files/1/0433/8499/5991/files/telecharger_dictionnaire_juridique_franais_arabe.pdf
    • https://cdn.shopify.com/s/files/1/0431/3566/4284/files/walolomupodaxunudukafufe.pdf
    • https://cdn.shopify.com/s/files/1/0440/5736/2597/files/ketogenic_diet_resource.pdf
    • https://cdn.shopify.com/s/files/1/0428/5467/8687/files/common_stop_words.pdf
    • https://cdn.shopify.com/s/files/1/0434/6265/6165/files/77948035174.pdf
    • https://cdn.shopify.com/s/files/1/0438/8824/6936/files/the_bodybuilder_s_nutrition_book_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0443/5532/2012/files/camillo_sitte_livro.pdf
    • https://cdn.shopify.com/s/files/1/0436/8426/6137/files/siwojutanifomexotezav.pdf
    • https://cdn.shopify.com/s/files/1/0433/5144/1560/files/25491255807.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f293.bin
a0082b9ce2622813b9c96ffebc1ace3ee1615a50dae1cd1d642215222292afa8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF293 4828 bytes
font_01_sfnt_off0001030b.bin
6b47921993eecbd6636a821ab524366ad13456d8164c5830dbcf0e994ce1294a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1030B 11344 bytes
font_02_sfnt_off00012609.bin
722068b2c376611f29946c739f5278376f8673eab3c3ac48bce2a3cadd930377		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12609 2196 bytes
font_03_sfnt_off0001301c.bin
6174c434ef8362c73174df355ee41b271a941efc8fefe6998432d1e3a94965b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1301C 15872 bytes
font_04_sfnt_off00016194.bin
23511c2e67c6ae29c4d0e154e51eb1799d02ce05a8518943eb98c654348f8993		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16194 16212 bytes
font_05_sfnt_off000176f5.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x176F5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.