Malicious PDF — malware analysis report

Static analysis result for SHA-256 32d0f0018b3cb599…

MALICIOUS

PDF

44.7 KB Created: 2020-08-02 21:22:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4c38a345bc9007ad056570839407901 SHA-1: b92c46a75f15036858f98fc8fc0fdeb6f94811bf SHA-256: 32d0f0018b3cb599ce63d0de4379a158301476d824c2de884b94f9b937c2bfbc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=brazil+vs+france'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs hosted on domains like cdn.shopify.com. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the malicious URL and references to 'Brazil vs France', suggesting a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=brazil+vs+france
    • http://files.christophercawley.us/uploads/1/3/1/4/131453194/zudetidadakobexa.pdf
    • http://files.laurasallen.com/uploads/1/3/1/3/131381450/6881946.pdf
    • http://files.gilliantorckler.com/uploads/1/3/0/8/130874629/gomenevidi-kinepowa-xasokipa-xupuzateseroji.pdf
    • http://files.eahae.online/uploads/1/3/2/7/132740873/9604865.pdf
    • https://cdn.shopify.com/s/files/1/0437/8089/8973/files/siloledurag.pdf
    • https://cdn.shopify.com/s/files/1/0433/0664/7717/files/91344001035.pdf
    • https://cdn.shopify.com/s/files/1/0433/8941/9676/files/52209247897.pdf
    • https://cdn.shopify.com/s/files/1/0430/0849/1673/files/roxazavanizokepaze.pdf
    • https://cdn.shopify.com/s/files/1/0435/4031/6311/files/93972176971.pdf
    • https://cdn.shopify.com/s/files/1/0428/8099/1388/files/71973658825.pdf
    • https://cdn.shopify.com/s/files/1/0431/8671/6830/files/83092007266.pdf
    • https://cdn.shopify.com/s/files/1/0434/8156/3286/files/jixolavakidazorosuza.pdf
    • https://cdn.shopify.com/s/files/1/0431/1567/5815/files/46121682367.pdf
    • https://cdn.shopify.com/s/files/1/0431/3301/0082/files/kazanutomurikod.pdf
    • https://cdn.shopify.com/s/files/1/0431/9870/9918/files/tofafuzimobuni.pdf
    • https://cdn.shopify.com/s/files/1/0436/9347/3947/files/37925487865.pdf
    • https://cdn.shopify.com/s/files/1/0427/6482/8839/files/52730231030.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007244.bin
a8ac7a954733e01fd91ebc8a166eae54d25116a712f49d691c1b42689c733800		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7244 5036 bytes
font_01_sfnt_off00008382.bin
d57004a857cc0b078548ac5dddbfc40f11e1193bfcaa31e389c7b5df46a7a97b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8382 10008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.