Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ac20ee34d68f79f…

MALICIOUS

PDF

47.9 KB Created: 2020-08-21 05:13:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9f9c5530940d6a949394da1de1940a3 SHA-1: 6e2406300870a47ddb430e14e5d58a967c3648bb SHA-256: 3ac20ee34d68f79fbdc3357ccbdf2c96104391f5424d8407b8e8a1a74171f080
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=call+recording++karen'. This indicates a social engineering lure, likely attempting to trick the user into clicking the link under the guise of accessing a call recording. The document also contains a large number of embedded links, many of which point to Shopify domains, but the primary malicious IOC is the redirector. No scripts were extracted, but the presence of the redirector and the lure strongly suggest a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=call+recording++karen
    • http://fopazif.titansinvite.com/uploads/1/3/0/7/130776255/ramiwuzaju_tirotuz.pdf
    • http://files.savorfoods.ca/uploads/1/3/1/4/131453241/41c204af6.pdf
    • http://files.kevinssmallworld.com/uploads/1/3/0/8/130874115/3247594.pdf
    • http://rulefife.caitlin-cannon.com/uploads/1/3/0/8/130874368/735b392217b3.pdf
    • http://files.breathingblues.org/uploads/1/3/1/4/131436978/gifedilije-dobigibomuza-jilik.pdf
    • https://cdn.shopify.com/s/files/1/0435/8832/1437/files/authentic_assessment_methods.pdf
    • https://cdn.shopify.com/s/files/1/0428/9114/9475/files/breadth_first_search_in_artificial_intelligence.pdf
    • https://cdn.shopify.com/s/files/1/0435/5496/3617/files/korean_story_books_for_beginners.pdf
    • https://cdn.shopify.com/s/files/1/0440/3062/3894/files/mofozaxupobotaravubiza.pdf
    • https://cdn.shopify.com/s/files/1/0449/3272/6952/files/mixinoda.pdf
    • https://cdn.shopify.com/s/files/1/0430/8513/6021/files/20265959246.pdf
    • https://cdn.shopify.com/s/files/1/0437/3191/0821/files/cinderella_man_question_sheet_answers.pdf
    • https://cdn.shopify.com/s/files/1/0437/9194/1781/files/rulifonifefir.pdf
    • https://cdn.shopify.com/s/files/1/0431/7190/5698/files/8601811401.pdf
    • https://cdn.shopify.com/s/files/1/0431/3966/1986/files/9343619061.pdf
    • https://cdn.shopify.com/s/files/1/0430/0223/2983/files/20835677093.pdf
    • https://cdn.shopify.com/s/files/1/0437/5959/9765/files/72473579829.pdf
    • https://cdn.shopify.com/s/files/1/0429/8863/4266/files/chrome_for_android_apk.pdf
    • https://cdn.shopify.com/s/files/1/0449/4698/1023/files/binomios_conjugados_ejercicios.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000706a.bin
c2f21a7a6a20d7283b16f2a2c4d635e2f145310385134da009233260ada0b7ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x706A 4724 bytes
font_01_sfnt_off0000807a.bin
71a5521fc0a18786a900f1c805b127cf13ade10c4d0d0d002c32ba56d9b956bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x807A 10516 bytes
font_02_sfnt_off0000a489.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA489 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.