Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8e909cfc2b7dc4a…

MALICIOUS

PDF

45.5 KB Created: 2020-08-01 04:18:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1bb5a9ad5e8cbe442a6a8a3cab4ee6d8 SHA-1: adf359c9d06f6dc9725b5b5a01f7d6aff8722620 SHA-256: c8e909cfc2b7dc4ae45d04b0098fbba71f05b2629e21d2bebecc62349dd4d8b6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, including a critical redirector link to ttraff.ru. The document body, though heavily obfuscated, contains the string 'Sorry miss jackson lyrics' and the malicious URL, suggesting a lure to a malicious site. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the PDF structure itself is used for the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=sorry+miss+jackson+lyrics
    • http://files.rmackson.com/uploads/1/3/0/7/130740357/b5ac81fbbd1.pdf
    • http://files.khaledalabasi.com/uploads/1/3/1/4/131455636/pudav-lizazeretazop-nuvonaga-dozudafupibu.pdf
    • http://files.constantpodcast.com/uploads/1/3/2/3/132303061/8277953.pdf
    • http://files.alisonpilkington.com/uploads/1/3/0/7/130775151/06a0f99b3c22444.pdf
    • https://cdn.shopify.com/s/files/1/0431/2802/9345/files/6195843696.pdf
    • https://cdn.shopify.com/s/files/1/0432/1994/3579/files/kbh_games_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/86372263330.pdf
    • https://cdn.shopify.com/s/files/1/0439/3687/4651/files/72626489746.pdf
    • https://cdn.shopify.com/s/files/1/0433/2853/6731/files/puzonitagenaxosawipibogop.pdf
    • https://cdn.shopify.com/s/files/1/0434/1111/2092/files/48822948183.pdf
    • https://cdn.shopify.com/s/files/1/0431/7750/9020/files/tozenideda.pdf
    • https://cdn.shopify.com/s/files/1/0432/9730/8840/files/17224473083.pdf
    • https://cdn.shopify.com/s/files/1/0430/5308/8919/files/malaronojizemewofat.pdf
    • https://cdn.shopify.com/s/files/1/0431/5791/3749/files/gifenukigaf.pdf
    • https://cdn.shopify.com/s/files/1/0431/2639/0946/files/kixulixebujolikugivugo.pdf
    • https://cdn.shopify.com/s/files/1/0430/0872/1049/files/37917987784.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000666b.bin
7fb3bfa76554ae280016633800d486ae49beba60de8e997d38f1c68a0140e7ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x666B 4880 bytes
font_01_sfnt_off000076d4.bin
17f3032d5f09a3253c4509609a05da34491923dc56fcede957f5faed417e2904		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76D4 10664 bytes
font_02_sfnt_off00009b1d.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B1D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.