Malicious PDF — malware analysis report

Static analysis result for SHA-256 22c10a22bf34533d…

MALICIOUS

PDF

43.0 KB Created: 2020-09-12 12:43:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0029be654ad1f5dd4603cd81cdcbcb6e SHA-1: 21e1bbd026977553b064d8410875f8b276c425d1 SHA-256: 22c10a22bf34533d845219dab20d8ec4a2b51dcd27657947aa2c436bafbfd29c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document contains a mass external link farm, with the primary link directing to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.me/pify?keyword=history+google+slides+template, which is the main lure. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous links to external PDFs suggests an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=history+google+slides+template
    • http://files.dmillsphotography.com/uploads/1/3/1/4/131454012/150016.pdf
    • http://files.northwaystudents.com/uploads/1/3/1/3/131379732/nudawanobid-rozudazutuxag.pdf
    • http://wigep.tuscanoaks.org/uploads/1/3/2/3/132303382/061e02514b7806.pdf
    • http://sidawewu.integritybm.com.au/uploads/1/3/1/1/131164406/gotoserojeb.pdf
    • http://files.worldmusicpedagogy.com/uploads/1/3/1/8/131871501/xoxanavebetuwe.pdf
    • https://cdn.shopify.com/s/files/1/0431/6338/6017/files/85420693581.pdf
    • https://cdn.shopify.com/s/files/1/0435/6934/8763/files/17146745049.pdf
    • https://cdn.shopify.com/s/files/1/0432/5461/2123/files/wizuw.pdf
    • https://cdn.shopify.com/s/files/1/0463/1065/4109/files/lewexikosefuw.pdf
    • https://cdn.shopify.com/s/files/1/0481/5867/1001/files/65251685461.pdf
    • https://cdn.shopify.com/s/files/1/0438/3821/0205/files/dotuzuxul.pdf
    • https://static.usrfiles.com/ugd/aec2ea_05f2177812084bb08bed3054e2976069.pdf
    • https://static.usrfiles.com/ugd/b148e5_263c29f6e6084ac79099763b6ee52e48.pdf
    • https://static.usrfiles.com/ugd/a43ec6_60c6419243894647bf5298cc5af55f54.pdf
    • https://static.usrfiles.com/ugd/466fa0_01c2c96bd03d40099bc64099bee0b6c4.pdf
    • https://static.usrfiles.com/ugd/d78803_9929dbe5bfe34d3ebd6f7c13bd3fd88c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b36.bin
87ab3731df418e10a421f6deed4b9f2483762e03c37b67367e880c3f19c1fe90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B36 5340 bytes
font_01_sfnt_off00007d4c.bin
72e24a78428eb2d240df7d5c0ea712fbd5bac401f3e123676b32d0dc3b61093d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D4C 9976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.