Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d499dc6a52e02e6…

MALICIOUS

PDF

44.6 KB Created: 2020-08-15 08:44:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ac2c92ae68f01e01b14fff7b73617a9 SHA-1: 4da45b9c9e1a830f419bb65370c3bf8976893d50 SHA-256: 2d499dc6a52e02e6adfa2aaa46fcbca90ef5b6168231135cafb5a0dc18a33318
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics indicating malicious redirector links and a link farm. The document body contains the URL 'https://ttraff.ru/pify?keyword=bibia+be+ye+ye+video', which is also listed as a malicious redirector. The presence of numerous embedded links, many pointing to Shopify domains but likely serving as a front for malicious content, suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bibia+be+ye+ye+video
    • http://files.turkanagemasycristales.com/uploads/1/3/0/7/130776344/459e0c.pdf
    • http://files.stlouiscivilwarball.com/uploads/1/3/0/9/130968943/limotazofof.pdf
    • https://cdn.shopify.com/s/files/1/0436/3078/8758/files/71931029167.pdf
    • https://cdn.shopify.com/s/files/1/0432/9707/9460/files/konasofovizob.pdf
    • https://cdn.shopify.com/s/files/1/0435/4274/1143/files/roluluvis.pdf
    • https://cdn.shopify.com/s/files/1/0432/5543/1323/files/guwifemolajuz.pdf
    • https://cdn.shopify.com/s/files/1/0427/5847/1846/files/7540786392.pdf
    • https://cdn.shopify.com/s/files/1/0430/1609/3849/files/26866743785.pdf
    • https://cdn.shopify.com/s/files/1/0433/8899/3703/files/snes_roms_unblocked.pdf
    • https://cdn.shopify.com/s/files/1/0431/8950/2110/files/atoms_elements_molecules_and_compounds.pdf
    • https://cdn.shopify.com/s/files/1/0431/0496/0661/files/cooper_bussmann_fuses_catalogue.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005bfb.bin
ddbaafd4c6ece0c7b3d41ec954e91f8f88218dba099ab726c59e14466f5cafee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BFB 4464 bytes
font_01_sfnt_off00006b28.bin
d84d133f8be175c41a9a30ca74c194ff4552f1bd6589e6972d6457ca5359e694		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B28 1872 bytes
font_02_sfnt_off00007417.bin
d70261b77e8bd2c184044140c93e96bfc0f2ec1e7d4bb74c9ecf6f30d8a1f08a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7417 10384 bytes
font_03_sfnt_off000097b5.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97B5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.