Malicious PDF — malware analysis report

Static analysis result for SHA-256 26a7c76e03fb536e…

MALICIOUS

PDF

43.4 KB Created: 2020-09-03 01:22:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9c9a2530f0775fe85176158cce241a2 SHA-1: 630cd6f7bcea7ebdd086dd7fa3049d62f7bcc969 SHA-256: 26a7c76e03fb536e0568b4b2bb421ab79aa278124287026abda82cd90f8893e8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/pify?keyword=days+of+the+week+in+german+pdf'. This indicates the document's primary purpose is to lure the user to a malicious site. The file also exhibits characteristics of a link farm, with numerous external PDF links, suggesting a broader SEO-based distribution strategy. The ML classifier strongly supports the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=days+of+the+week+in+german+pdf
    • https://static.usrfiles.com/ugd/e02969_fa3d22c430fe40fc96a6f589af4d1f56.pdf
    • https://static.usrfiles.com/ugd/314c35_30717b93e5d942fa9adb2f81eeb9e972.pdf
    • https://static.usrfiles.com/ugd/c12414_83c9942383b845e596c9437850c2f029.pdf
    • https://cdn.shopify.com/s/files/1/0433/9436/7655/files/guzexubodawipevit.pdf
    • https://cdn.shopify.com/s/files/1/0431/3051/9709/files/3496896154.pdf
    • https://cdn.shopify.com/s/files/1/0431/2236/0469/files/bilibofifuta.pdf
    • https://cdn.shopify.com/s/files/1/0431/7449/4369/files/4297122888.pdf
    • https://static.usrfiles.com/ugd/d4579c_9b7c2b5b20264685a99d6b6b77218a2d.pdf
    • https://static.usrfiles.com/ugd/b8c837_1c31558bff1c4664b5282cef82c857d9.pdf
    • https://static.usrfiles.com/ugd/b8c837_735c6288f6dc435e9ebd8326560b260d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006241.bin
49404ddc5e12d7940a0b381ba9587e307f95b08935aa853f654d4d87128cc063		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6241 5680 bytes
font_01_sfnt_off00007599.bin
4c6dc694b6b0b4e119a6aaa0c5965a26ec2e41792d212e99d46074b38017be25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7599 13872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.