Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2dff1e89afb642e…

MALICIOUS

PDF

45.9 KB Created: 2020-08-25 16:23:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 387cf219238d9e77e9f92f1e56773680 SHA-1: c7d4202dc05da3067291c280c3146ac2eb7dd1bb SHA-256: e2dff1e89afb642e728c2203c3504741b9d764755449faf1cb170274daa55c97
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to SEO-optimized PDF files hosted on Shopify. One of these links, 'https://ttraff.ru/pify?keyword=tb+ki+full+form+kya+hai', is known to redirect to malicious infrastructure. This suggests a campaign to drive traffic to malicious sites through a link farm. No scripts were extracted, and the document body is heavily obfuscated.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=tb+ki+full+form+kya+hai
    • http://files.dragonflykarate.org/uploads/1/3/0/7/130776049/pimimopim.pdf
    • http://zeromox.pilgrimlutheranfreedom.com/uploads/1/3/1/4/131437774/jobafunigelopak.pdf
    • http://files.fpzasurfcoast.org/uploads/1/3/1/4/131437984/f38b7a951498d.pdf
    • https://cdn.shopify.com/s/files/1/0438/0193/6033/files/kesimoxagugozeduzizudoba.pdf
    • https://cdn.shopify.com/s/files/1/0433/2634/1278/files/baron_psychology_book.pdf
    • https://cdn.shopify.com/s/files/1/0427/9864/5404/files/doubly_linked_list_python.pdf
    • https://cdn.shopify.com/s/files/1/0436/0637/6611/files/lesson_plan_template_esl_british_council.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/27622062760.pdf
    • https://cdn.shopify.com/s/files/1/0435/8524/1245/files/bureaucratic_theory_max_weber.pdf
    • https://cdn.shopify.com/s/files/1/0434/5122/0120/files/xesawujabafewisudupelu.pdf
    • https://cdn.shopify.com/s/files/1/0433/7192/1571/files/66850648851.pdf
    • https://cdn.shopify.com/s/files/1/0434/5744/6038/files/23166593642.pdf
    • https://cdn.shopify.com/s/files/1/0431/2642/3701/files/fimiwisa.pdf
    • https://cdn.shopify.com/s/files/1/0447/9890/2438/files/tratamiento_psicologico_para_alcoholismo.pdf
    • https://cdn.shopify.com/s/files/1/0433/3718/7493/files/82226505464.pdf
    • https://cdn.shopify.com/s/files/1/0438/5826/4229/files/riot_lyrics_three_days_grace.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005610.bin
e0f1f992d58ff299af7bddd71bb57880cd25a599ab30148eb821423681cfbd44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5610 5084 bytes
font_01_sfnt_off0000673d.bin
a7c194c348f4bc26aad06ae1fa1eadf76503a3aca856ff80314c3d87a816eea9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x673D 3720 bytes
font_02_sfnt_off0000729d.bin
c791efd44358d2f2caa23ddedd5779fdb82387d32ceda169a4669223df776203		 pdf-font-stream PDF embedded font (sfnt) at offset 0x729D 10476 bytes
font_03_sfnt_off00009695.bin
2bac9c477b2676c90d9cb636df2d37ea6a887f14bda23c0b025d991b4f9937c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9695 5484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.