Malicious PDF — malware analysis report

Static analysis result for SHA-256 36a3ebdf3bf5bdef…

MALICIOUS

PDF

39.3 KB Created: 2020-08-20 10:23:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9cee875dafb8ef33b525d0b5fe157c3d SHA-1: 0ed738c3fe3d710a9dbd9c025d9ed376426023e4 SHA-256: 36a3ebdf3bf5bdef28bc956b1baa77ed02a5bf5697846d767544d8694c18c228
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.cc/pify?keyword=eva+foam+sheet+white'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on cdn.shopify.com, likely for SEO manipulation or to obscure the malicious destination. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily corrupted, contains fragments that appear to be related to product listings, aligning with the redirector's keyword.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=eva+foam+sheet+white
    • http://files.gloryrealmministries.org/uploads/1/3/0/9/130969310/ade421cfe.pdf
    • http://files.rachelsvineyardtucson.org/uploads/1/3/1/3/131383664/0714680.pdf
    • https://cdn.shopify.com/s/files/1/0432/9511/3374/files/xudelibanesewitu.pdf
    • https://cdn.shopify.com/s/files/1/0437/9148/3042/files/bijepuduxu.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3847/files/felimalafewupukibamepujup.pdf
    • https://cdn.shopify.com/s/files/1/0429/1900/2279/files/bible_study_topics_for_youth.pdf
    • https://cdn.shopify.com/s/files/1/0434/7353/5138/files/musufirajepugeri.pdf
    • https://cdn.shopify.com/s/files/1/0434/9971/6770/files/welaxamiweletiwimidekeka.pdf
    • https://cdn.shopify.com/s/files/1/0464/9156/6248/files/best_free_keynote_templates_2019.pdf
    • https://cdn.shopify.com/s/files/1/0436/2646/3385/files/dictionary_english_indonesia.pdf
    • https://cdn.shopify.com/s/files/1/0431/0351/8882/files/nejelujufinukedikoledex.pdf
    • https://cdn.shopify.com/s/files/1/0431/5650/4744/files/43086606250.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005056.bin
85a0dfea274b0e94fa96a19691bd4af49944095f548fce8f043a01cc34732704		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5056 4672 bytes
font_01_sfnt_off00006054.bin
682d3ea94e79ece9ed6a8bc923eded73b7d66c7c5abc455954e5de32e68a0058		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6054 10056 bytes
font_02_sfnt_off000082d7.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82D7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.