Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ca68b2f4b5b2ffe…

MALICIOUS

PDF

38.9 KB Created: 2020-08-01 23:02:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a12e997f40f78bf898ba2b5a1190c9a4 SHA-1: b8f86850c863d2244f5876107b98b4dfb1b5a9c1 SHA-256: 1ca68b2f4b5b2ffe7931afbc08745de219a42eae86acf535bc8abb6105235c10
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector at 'https://ttraff.com/pify?keyword=encyclopedia+magica+volume+1+pdf'. Another critical heuristic identified a PDF link farm, indicating a potential SEO spam or phishing campaign. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack vector appears to be directing users to malicious external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=encyclopedia+magica+volume+1+pdf
    • http://files.drklaracarson.com/uploads/1/3/1/3/131398432/gumaxi.pdf
    • http://files.stephaniemarceau.com/uploads/1/3/2/6/132681308/1769869.pdf
    • http://files.ewiechart.com/uploads/1/3/2/3/132302913/gomokiwu-dapewijutufose-jofumuvusu.pdf
    • https://cdn.shopify.com/s/files/1/0431/5512/8480/files/70643799858.pdf
    • https://cdn.shopify.com/s/files/1/0430/9545/7941/files/gufekizepilu.pdf
    • https://cdn.shopify.com/s/files/1/0428/5041/8847/files/refikasatuvidugarupudobof.pdf
    • https://cdn.shopify.com/s/files/1/0433/7932/7141/files/figabezuvegavajuxevupuv.pdf
    • https://cdn.shopify.com/s/files/1/0437/1375/7339/files/ziwexovisegebisas.pdf
    • https://cdn.shopify.com/s/files/1/0434/0069/1862/files/65062816150.pdf
    • https://cdn.shopify.com/s/files/1/0428/5900/4070/files/18142359805.pdf
    • https://cdn.shopify.com/s/files/1/0430/9535/9642/files/69554906716.pdf
    • https://cdn.shopify.com/s/files/1/0430/5059/8562/files/degetaguzatamapisoba.pdf
    • https://cdn.shopify.com/s/files/1/0431/4506/8699/files/zipedofobupezoxa.pdf
    • https://cdn.shopify.com/s/files/1/0437/8168/5406/files/60168314139.pdf
    • https://cdn.shopify.com/s/files/1/0433/7922/8837/files/xasezixutumeboz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a03.bin
b04af6ba58c3a0aaa71dc73285751104c95c9b6d5fe37d18e111b86157da8a44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A03 5372 bytes
font_01_sfnt_off00006c60.bin
4de5bbc8ca8d26472d2f66318e259e164d54d27f771f141ae64f72eeafd075e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C60 9952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.