Malicious PDF — malware analysis report

Static analysis result for SHA-256 225d97b9c801b184…

MALICIOUS

PDF

54.3 KB Created: 2020-08-08 12:17:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a945c648e2531f5ed310767ed063892e SHA-1: d8750b9215b7b3dafc5ce8aec1e1e3ef1c4da068 SHA-256: 225d97b9c801b184a4ccf148255298d005172b400d437b6b625033e5bd404bee
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=contending+economic+theories+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the same malicious URL. The primary attack pattern involves luring the user to click the malicious link, likely leading to a further stage of infection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=contending+economic+theories+pdf
    • http://files.moneytalkssummit.com/uploads/1/3/0/8/130814129/zotesomewu.pdf
    • http://files.eatwell2bwell.com/uploads/1/3/1/3/131379118/573cae4fdd9801.pdf
    • http://files.agorapublications.net/uploads/1/3/2/6/132682570/4da5af8.pdf
    • https://cdn.shopify.com/s/files/1/0429/2801/3471/files/4436386509.pdf
    • https://cdn.shopify.com/s/files/1/0436/3033/0019/files/perbedaan_pasar_modal_syariah_dan_konvensional.pdf
    • https://cdn.shopify.com/s/files/1/0435/7426/3963/files/zutukelafa.pdf
    • https://cdn.shopify.com/s/files/1/0433/4449/4760/files/kopap.pdf
    • https://cdn.shopify.com/s/files/1/0428/0126/6851/files/56138525038.pdf
    • https://cdn.shopify.com/s/files/1/0435/4798/4027/files/opposite_words_for_class_3.pdf
    • https://cdn.shopify.com/s/files/1/0432/7804/1244/files/the_vixen_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/8259/6000/files/diablo_2_guide.pdf
    • https://cdn.shopify.com/s/files/1/0428/6827/7415/files/pride_and_prejudice_by_jane_austen_summary.pdf
    • https://cdn.shopify.com/s/files/1/0440/4438/6454/files/33639265509.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/varanomavumozomadeda.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000096ad.bin
52a2d646185227da73d420bbb9e6ab3be8dc18a5a6339905512d684579e8499b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96AD 5232 bytes
font_01_sfnt_off0000a854.bin
3926d397382d8b6df5cceca4498f9966747a4ef98195cdbbfd7a67663a3d24ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA854 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.