Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6d1d24606563cd5…

MALICIOUS

PDF

319.4 KB Created: 2020-09-03 18:25:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 213832ebf74b7a8b32dd05705bafaebc SHA-1: 627309737bde9d37d1afc85c949c083de5de9cda SHA-256: f6d1d24606563cd51087919b10920cc13bad20d428259dc16c07fe6e5f8ff933
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.com/pify?keyword=aspergillosis+guidelines+2016+pdf, is the primary indicator of malicious intent. The document body, though heavily obfuscated, contains this URL, suggesting a lure to trick users into clicking it. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=aspergillosis+guidelines+2016+pdf
    • https://static.usrfiles.com/ugd/0bcf16_c9a7f86fe83a4035a34a542e520ab0ee.pdf
    • https://static.usrfiles.com/ugd/48bf55_faa780f68c6c41108fe1aa5539492364.pdf
    • https://static.usrfiles.com/ugd/b0cd75_8247e085d13d4231b0d7164182733c7d.pdf
    • https://static.usrfiles.com/ugd/0bcf16_e1848c6773584fb3980fe9a58e0d7b42.pdf
    • https://static.usrfiles.com/ugd/a107db_c811ff5f172d44a285751c1d8704d8fb.pdf
    • https://static.usrfiles.com/ugd/97634b_a5591e31d3bc4e5ba1743c0c5facfc46.pdf
    • https://static.usrfiles.com/ugd/b50c55_16b2f9985b1946c99228f85d4ecbe6ad.pdf
    • https://static.usrfiles.com/ugd/b4609a_ef85750b837444a68028d2a6c1b1a8ff.pdf
    • https://static.usrfiles.com/ugd/0049ca_9ed98314511b46e18671110785e282d0.pdf
    • https://static.usrfiles.com/ugd/b8c837_f3a5991bec5e4334a69d2fa0767e093f.pdf
    • https://static.usrfiles.com/ugd/3826db_fc1847d718e44a1fbab50b9a306de77a.pdf
    • https://static.usrfiles.com/ugd/3794ad_ed84190b164240649f5d1a24526411e1.pdf
    • https://static.usrfiles.com/ugd/d775a9_0cf8c047b4794e008c17281bdf5729b1.pdf
    • https://static.usrfiles.com/ugd/9904c2_5e5b23239daa483ea036dee5b4afdfea.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004aaaa.bin
b8cb9dd0c6af5d8e46123fb6761b58a729e210691f1f3ad06e2ff8340dfb620a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AAAA 5468 bytes
font_01_sfnt_off0004bd63.bin
5a4c738348408e1f298c2d66675b0eafa5bb1bd00410136abb6ff66e7e223bc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BD63 15448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.