Malicious PDF — malware analysis report

Static analysis result for SHA-256 270f853a8ac043e2…

MALICIOUS

PDF

45.0 KB Created: 2020-08-10 10:13:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a231881c568c6bfd52e6b17294b805e7 SHA-1: 9d6adc0f2118ce20367aba3ecdd56176aba34d36 SHA-256: 270f853a8ac043e21eaa8d299520c4c5e5c8f985146e0e756fc6e9dfc438b13b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a mass external link farm, with the primary malicious redirector being https://ttraff.cc/pify?keyword=business+strategy+development+application+gary+bissonette+pdf. This indicates a phishing or social engineering attempt to redirect the user to malicious content. The ML classifier strongly supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=business+strategy+development+application+gary+bissonette+pdf
    • http://sunusi.stowinfo.co.uk/uploads/1/3/0/8/130874493/6069415.pdf
    • http://files.shilohchristianband.com/uploads/1/3/1/4/131437823/b25822a178f.pdf
    • http://suwexef.tonodiaz.com/uploads/1/3/0/7/130776407/6782670.pdf
    • http://files.bethanyyatesart.com/uploads/1/3/0/8/130873717/xepufitavir_zuxuvo_nivoxikiz.pdf
    • http://files.pageuptraining.com/uploads/1/3/1/4/131407890/2757065.pdf
    • https://cdn.shopify.com/s/files/1/0441/2289/8584/files/wezifipepikuwototema.pdf
    • https://cdn.shopify.com/s/files/1/0437/3495/8229/files/adverbs_modifying_adjectives_and_verbs_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0441/1876/9816/files/jumajegarodaxaneg.pdf
    • https://cdn.shopify.com/s/files/1/0429/8843/7655/files/dibidopi.pdf
    • https://cdn.shopify.com/s/files/1/0440/1440/3742/files/53079899599.pdf
    • https://cdn.shopify.com/s/files/1/0427/4293/9814/files/introduction_to_medical_bacteriology.pdf
    • https://cdn.shopify.com/s/files/1/0437/4226/5498/files/vemisodotedatuto.pdf
    • https://cdn.shopify.com/s/files/1/0450/7946/2040/files/geneva_switzerland_map.pdf
    • https://cdn.shopify.com/s/files/1/0434/2457/9736/files/98567852704.pdf
    • https://cdn.shopify.com/s/files/1/0431/0990/8637/files/zobexonaramifu.pdf
    • https://cdn.shopify.com/s/files/1/0433/5036/0232/files/minecraft_bending_servers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007077.bin
f0982616392ce630eabdb21606396e43dff5126060b93bb23046b250d546a473		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7077 5824 bytes
font_01_sfnt_off00008443.bin
7c6cac656ff287b0b1ac6340e577b3261106df50095ff44c3ec7f9681e509bac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8443 10084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.