Malicious PDF — malware analysis report

Static analysis result for SHA-256 41fa28d4b72ebfca…

MALICIOUS

PDF

50.8 KB Created: 2020-08-06 22:45:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1a147e3abc019406b8b1008c7360a30 SHA-1: 15b12d2e6e8fed4e65c920ff0580446489bbe652 SHA-256: 41fa28d4b72ebfca48dd1a5b7c91a154e364fd9226c7ead469108207f9787a7a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.cc/pify?keyword=php+web+development+tutorial+pdf, which is also listed as an embedded URL. This URL is likely used to redirect the user to a malicious site, disguised as a tutorial PDF. The PDF also contains a mass external PDF link farm, with many links pointing to Shopify domains, likely for SEO manipulation or to host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=php+web+development+tutorial+pdf
    • http://files.jezus.pl/uploads/1/3/0/9/130969377/wekedi.pdf
    • http://files.drkatherinemasters.com/uploads/1/3/0/7/130738568/fogedux_vajebilutagorir_femifeb.pdf
    • http://files.tanyaeavenson.com/uploads/1/3/2/6/132695679/nagojunuwa-koves-fapepalugeli.pdf
    • https://cdn.shopify.com/s/files/1/0440/8170/9206/files/5318049588.pdf
    • https://cdn.shopify.com/s/files/1/0431/6980/8548/files/nefopebidisenaguf.pdf
    • https://cdn.shopify.com/s/files/1/0431/1089/1680/files/wojesikijiji.pdf
    • https://cdn.shopify.com/s/files/1/0431/0610/7552/files/jesafarur.pdf
    • https://cdn.shopify.com/s/files/1/0432/3095/3627/files/big_girls_don_t_cry_chords.pdf
    • https://cdn.shopify.com/s/files/1/0434/6540/8662/files/55459120220.pdf
    • https://cdn.shopify.com/s/files/1/0439/1141/3915/files/nuturexef.pdf
    • https://cdn.shopify.com/s/files/1/0432/8056/4392/files/87655904948.pdf
    • https://cdn.shopify.com/s/files/1/0427/8360/4903/files/hydro_pneumatic_braking_system.pdf
    • https://cdn.shopify.com/s/files/1/0432/1820/6888/files/44198208046.pdf
    • https://cdn.shopify.com/s/files/1/0428/7404/4579/files/mark_hamill_filmography.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bd2.bin
95d08e3b497e7263af810e300a9d5f02ce5f56487626c76a67d48343e0fa5bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BD2 5396 bytes
font_01_sfnt_off00008e14.bin
8288e54a699658e0f681603a4e29621f88dd50829e9c0c02bb5389f32242f5de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E14 15408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.