Malicious PDF — malware analysis report

Static analysis result for SHA-256 d09381f57ca1326e…

MALICIOUS

PDF

69.1 KB Created: 2020-08-17 17:55:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ea31e8587b9ff2890f615eb8a20efa7b SHA-1: e4dfee560e139d934d5839f4d7fe03db6688199f SHA-256: d09381f57ca1326e96e795e5f70d52c1cf8310e5184d958b6aa35565e286fd4f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious due to a high number of embedded links, a technique often used for link farms or phishing campaigns. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.ru/pify?keyword=vs+2017+platform+toolset+v100'. The document body contains obfuscated text and multiple URLs, including benign ones hosted on Shopify and potentially malicious ones on custom domains, suggesting a lure to external content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=vs+2017+platform+toolset+v100
    • http://xomid.smilinggrape.com/uploads/1/3/0/8/130814328/xajexasukuwude_pidazimel_wavotilasafovax_lemezu.pdf
    • http://files.chrisdreliszak.com/uploads/1/3/1/4/131438641/xubusevikofixupisiv.pdf
    • https://cdn.shopify.com/s/files/1/0440/3265/5525/files/lean_six_sigma_green_belt_study_material.pdf
    • https://cdn.shopify.com/s/files/1/0431/8353/8331/files/80494588293.pdf
    • https://cdn.shopify.com/s/files/1/0431/7990/1096/files/bivabawediporomevati.pdf
    • https://cdn.shopify.com/s/files/1/0431/6332/0471/files/rulaw.pdf
    • https://cdn.shopify.com/s/files/1/0433/7287/1832/files/99974951820.pdf
    • https://cdn.shopify.com/s/files/1/0428/5323/6902/files/avengers_civil_war_comic.pdf
    • https://cdn.shopify.com/s/files/1/0435/6577/7059/files/jazz_ukulele_tabs.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52665001447.pdf
    • https://cdn.shopify.com/s/files/1/0429/5131/1513/files/gutupetober.pdf
    • https://cdn.shopify.com/s/files/1/0429/5576/7967/files/adverb_of_frequency.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009220.bin
d5c0383c842824b6ff17b7341e5c0bf2f3d9a7d83fef257646ca2b9896d0564b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9220 10380 bytes
font_01_sfnt_off0000b309.bin
80c0f297fad51019bda8774ebd873ce52c143f314ea12ffaac1ed8ae6e352040		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB309 5480 bytes
font_02_sfnt_off0000c5a5.bin
26dcd0344e9a3a85624826d40021559120f6590f6ebd6dd77b65a73ed8f39b55		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5A5 13680 bytes
font_03_sfnt_off0000f24d.bin
e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF24D 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.