Malicious PDF — malware analysis report

Static analysis result for SHA-256 415ffab4400fd6fa…

MALICIOUS

PDF

49.0 KB Created: 2020-08-07 04:00:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a0d08cb8ade021ee4a9d3bd28414b5b8 SHA-1: 708d7135aa4292aa355e18066b670beb4a42d266 SHA-256: 415ffab4400fd6fa474c7adf38c8c134d1cf4715c3eda0d7d012c051bc65fade
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=bass+guitar+books+for+beginners+pdf'. This link is presented within the document body, disguised as a resource for beginner bass guitar books. The PDF also contains a large number of embedded links, many hosted on Shopify, which is flagged as a link farm. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bass+guitar+books+for+beginners+pdf
    • http://files.trappershop.be/uploads/1/3/1/3/131383949/jovepudazoremesu.pdf
    • http://files.healinghandsgreatsouthernwa.com.au/uploads/1/3/1/4/131437444/9564224.pdf
    • http://files.staceyweckstein.biz/uploads/1/3/0/9/130969312/405aa6a870d.pdf
    • https://cdn.shopify.com/s/files/1/0429/4826/4089/files/luridaxifakaselefopo.pdf
    • https://cdn.shopify.com/s/files/1/0437/9597/2256/files/28865964608.pdf
    • https://cdn.shopify.com/s/files/1/0433/5019/6392/files/zinarawagiwikiduw.pdf
    • https://cdn.shopify.com/s/files/1/0435/5021/2264/files/academic_journal_examples.pdf
    • https://cdn.shopify.com/s/files/1/0430/3123/2674/files/55096314081.pdf
    • https://cdn.shopify.com/s/files/1/0428/6133/0598/files/auditing_and_assurance_services_17th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0431/5850/3590/files/doxux.pdf
    • https://cdn.shopify.com/s/files/1/0434/8962/4224/files/95858047965.pdf
    • https://cdn.shopify.com/s/files/1/0431/0705/7825/files/51646828716.pdf
    • https://cdn.shopify.com/s/files/1/0428/4288/2215/files/86676284595.pdf
    • https://cdn.shopify.com/s/files/1/0429/5216/3482/files/lezazazowujanu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007f21.bin
38cbeccae1321ab150a00dc8a11aff6bd30e7e6ffd6b0c69df6f8356f221e98b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F21 5428 bytes
font_01_sfnt_off000091a5.bin
98bb7205e394cb80f0a569a0cbd0a87d48f9e56bbcb5b7ec114f582949ff1739		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91A5 10552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.