Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8d8645315a2a961…

MALICIOUS

PDF

64.5 KB Created: 2020-08-06 18:44:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1aeb018f92925795adb0b128e8086985 SHA-1: a910d96258227e72e2516d429c4bee88f19506bc SHA-256: d8d8645315a2a961a86e32b7d11655b999c6e95075be5e8308a413beea95ca04
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a large number of embedded links, a technique commonly used in SEO poisoning and phishing campaigns. The primary heuristic indicates that the PDF links to known malicious redirector infrastructure, specifically 'https://ttraff.ru/pify?keyword=asmaul+husna+in+malayalam+pdf'. The document body, though heavily obfuscated, also contains this URL, suggesting it is the intended lure. The file's purpose appears to be redirecting users to malicious sites under the guise of providing a PDF document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=asmaul+husna+in+malayalam+pdf
    • http://files.danielbaerg.com/uploads/1/3/1/4/131438869/zupuduz.pdf
    • http://mezuleb.surplus-lighting.com/uploads/1/3/1/6/131606349/8922145.pdf
    • http://files.legshakersbbq.com/uploads/1/3/1/4/131438308/08679293c8.pdf
    • https://cdn.shopify.com/s/files/1/0430/0580/4698/files/lilulek.pdf
    • https://cdn.shopify.com/s/files/1/0430/6799/8362/files/81928270831.pdf
    • https://cdn.shopify.com/s/files/1/0429/0812/3303/files/25889147405.pdf
    • https://cdn.shopify.com/s/files/1/0431/6656/4507/files/93017013138.pdf
    • https://cdn.shopify.com/s/files/1/0439/0413/9416/files/50247447410.pdf
    • https://cdn.shopify.com/s/files/1/0427/9471/3244/files/89678697185.pdf
    • https://cdn.shopify.com/s/files/1/0436/4979/4213/files/narumuvotasaruvobev.pdf
    • https://cdn.shopify.com/s/files/1/0432/2269/6098/files/nulazewob.pdf
    • https://cdn.shopify.com/s/files/1/0433/0671/3253/files/82969682655.pdf
    • https://cdn.shopify.com/s/files/1/0433/6032/1691/files/5259864738.pdf
    • https://cdn.shopify.com/s/files/1/0437/1267/5990/files/34632769353.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000c129.bin
42376c6b90e8f58bdc6cca2dfc071dc1d7d049af66cde75d5151e935249aa780		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC129 28960 bytes
font_00_sfnt_off00006b9e.bin
fdf53e69fd6d27ee006aa883fb4c702e2c53c81ab3456ed34f667bf41344363a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B9E 5276 bytes
font_01_sfnt_off00007d6b.bin
abde37dcd6855e33b25b630360108437a4ba7fce9a653763ddd24247be1c2c3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D6B 9108 bytes
font_02_sfnt_off00009c7b.bin
9aeca0025401a1f0e4577f2e2bad0691280790002fbd88798bbcf70c3b91a6bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C7B 10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.