Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2851b8f4eeb37b7…

MALICIOUS

PDF

84.7 KB Created: 2020-08-22 06:37:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 39f7c19ea0a64057029c5e1022544e51 SHA-1: ef438a63896dd2bfec9e580d3d75f97a9d312f21 SHA-256: f2851b8f4eeb37b7e8513dc4e7315f674e2d0be4ab0ac0de54a1d6bc7727a622
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates that a link leads to known malicious redirector infrastructure, specifically 'https://ttraff.ru/pify?keyword=acog+fetal+heart+monitoring+guidelines'. Another critical heuristic identifies this as a PDF link farm, with numerous links to other PDFs hosted on domains like cdn.shopify.com. The document body, though heavily obfuscated, contains references to these URLs, suggesting the primary intent is to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=acog+fetal+heart+monitoring+guidelines
    • http://files.givete.org/uploads/1/3/0/8/130874350/c10aae76e26c31.pdf
    • http://files.fairgrieveschoolofdance.com/uploads/1/3/1/4/131437669/3455802.pdf
    • http://robik.carlingtonchaplaincy.com/uploads/1/3/1/0/131070450/fajoza.pdf
    • http://files.orionequestrian.com/uploads/1/3/1/4/131406275/3f73942ca.pdf
    • http://sadakezit.kevisixth.com/uploads/1/3/1/3/131398278/fc06ce1.pdf
    • https://cdn.shopify.com/s/files/1/0430/8143/3242/files/gatavifukipatenamapa.pdf
    • https://cdn.shopify.com/s/files/1/0448/0565/2637/files/dear_mr_kilmer_moral_values_answer.pdf
    • https://cdn.shopify.com/s/files/1/0437/7742/5565/files/10346917129.pdf
    • https://cdn.shopify.com/s/files/1/0459/2484/3687/files/back_home_menu_button_apk.pdf
    • https://cdn.shopify.com/s/files/1/0432/9635/8565/files/kubatoza.pdf
    • https://cdn.shopify.com/s/files/1/0440/4926/8886/files/riduwufupakadexobosifugu.pdf
    • https://cdn.shopify.com/s/files/1/0430/6586/8437/files/equipment_qualification_report.pdf
    • https://cdn.shopify.com/s/files/1/0432/1925/5454/files/s._s._c_routine_2020.pdf
    • https://cdn.shopify.com/s/files/1/0430/0547/7023/files/ubuntu_14._04_1_lts.pdf
    • https://cdn.shopify.com/s/files/1/0432/1165/3277/files/86838001269.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecb9.bin
776df3eb3c5bcdff49d6e74f9b14d9738a47eaa54f7ccec51cf47aa065c0fc4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECB9 5424 bytes
font_01_sfnt_off0000fefd.bin
a840c085aafc30db33b60fd20182065eed7b0cf513cb0fb67056f6dfa370726c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEFD 15992 bytes
font_02_sfnt_off0001309f.bin
2173a1880e9f774f759393e7d0d28dda91d04d8a3eae6bea41b822770b343b90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1309F 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.