Malicious PDF — malware analysis report

Static analysis result for SHA-256 33a55f600dbebfdb…

MALICIOUS

PDF

43.8 KB Created: 2020-08-20 11:53:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a46def86e62f7809bf52da5177742e5c SHA-1: d9a7d7ea6470ead48ca320bf9982c1bccc6b3848 SHA-256: 33a55f600dbebfdbf7825fd7cf74df6445f0e46810549b13f575dacf68045f04
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a Java update download. The link directs to 'https://ttraff.com/pify?keyword=java+8+update+171+free', which is flagged as malicious. Additionally, the PDF exhibits characteristics of a link farm, with numerous external links, including one pointing to 'https://cdn.shopify.com/s/files/1/0432/2207/3508/files/17526115281.pdf'. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=java+8+update+171+free
    • http://files.630shistory.com/uploads/1/3/0/7/130776401/zonikinukitevi.pdf
    • http://files.vanemanmusic.com/uploads/1/3/1/4/131409309/jujufomog_gopoki_sizosozabavit.pdf
    • https://cdn.shopify.com/s/files/1/0432/2207/3508/files/17526115281.pdf
    • https://cdn.shopify.com/s/files/1/0434/4496/1442/files/schema_electrique_ascenseur_otis.pdf
    • https://cdn.shopify.com/s/files/1/0431/5919/1712/files/servicenow_report_maximum_execution_time_exceeded.pdf
    • https://cdn.shopify.com/s/files/1/0427/7505/2454/files/vuvazub.pdf
    • https://cdn.shopify.com/s/files/1/0435/5339/0743/files/allstate_r3001_exclusive_agency_agreement.pdf
    • https://cdn.shopify.com/s/files/1/0430/0685/3269/files/runanosonuwik.pdf
    • https://cdn.shopify.com/s/files/1/0432/6536/0034/files/misamiviraxujeter.pdf
    • https://cdn.shopify.com/s/files/1/0433/2729/1547/files/6_team_tournament_bracket.pdf
    • https://cdn.shopify.com/s/files/1/0447/6777/2821/files/netutanutew.pdf
    • https://cdn.shopify.com/s/files/1/0431/1678/9927/files/pifekinapider.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d0a.bin
d197c729f8d93d84b1204f30b59385412a7bb790257a3b5fe79e7602539861af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D0A 4852 bytes
font_01_sfnt_off00006e09.bin
c6db92278b457ec38a56157f3e391542a2d934bca7cd83e7d708c738bd5829dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E09 5200 bytes
font_02_sfnt_off00007fde.bin
26b700019d37033530ff2fb3ec88edabae69c076d6f2c215f3fd2751ef7dd635		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FDE 10136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.