Malicious PDF — malware analysis report

Static analysis result for SHA-256 2559ae45b74e63dd…

MALICIOUS

PDF

45.7 KB Created: 2020-08-01 23:25:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b83f8a2cac6298fac307393f2a3e7008 SHA-1: c7ff5246c7d4215c4b34f8c6b46d1b82977c6f65 SHA-256: 2559ae45b74e63ddf3a6df95680f6bbb8bbeb05a15acac6e51f7eb9d61273263
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, many pointing to a link farm hosted on cdn.shopify.com, and one critical link to a known malicious redirector at ttraff.com. The document body, though heavily obfuscated, contains the target URL, suggesting the primary goal is to redirect the user to malicious content. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ffxi+how+to+change+screen+resolution
    • http://files.oloppinnisfail.com/uploads/1/3/2/7/132740978/bavoxefilewux_lifenamagudu.pdf
    • http://files.saltwaterstudios.co.uk/uploads/1/3/0/7/130776272/maxizidurolokow_jemus.pdf
    • http://files.christcommunityclarkston.com/uploads/1/3/1/8/131858540/deluvumunok_sajotiv_mebenuposigopi.pdf
    • http://files.oloppi
    • https://cdn.shopify.com/s/files/1/0430/7006/2754/files/11702937489.pdf
    • https://cdn.shopify.com/s/files/1/0434/5180/9957/files/33575982844.pdf
    • https://cdn.shopify.com/s/files/1/0432/2040/2337/files/sivovufogifutilutokilaso.pdf
    • https://cdn.shopify.com/s/files/1/0434/5508/6742/files/16170533508.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sikotifukiv.pdf
    • https://cdn.shopify.com/s/files/1/0430/4571/6129/files/kinak.pdf
    • https://cdn.shopify.com/s/files/1/0439/2773/2379/files/vosigisuforuxizazisusa.pdf
    • https://cdn.shopify.com/s/files/1/0440/7102/6853/files/limbo_daddy_yankee_mp3.pdf
    • https://cdn.shopify.com/s/files/1/0429/2775/1321/files/59952139092.pdf
    • https://cdn.shopify.com/s/files/1/0440/9013/0584/files/flexisign_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0431/2553/8980/files/zawelunaxonakijafezobu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3452/5347/files/limovamerefeno.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007448.bin
1aa867a022881ab99fcba3aa7e59477ea2c58c0ac8df6dbbd4793201e46c9002		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7448 5260 bytes
font_01_sfnt_off0000864a.bin
4287aabf8484bdd2ee7b762777609e3720681ae2299bd081d7e3a9a14338d405		 pdf-font-stream PDF embedded font (sfnt) at offset 0x864A 10300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.