Malicious PDF — malware analysis report

Static analysis result for SHA-256 433c80350ad1f8e9…

MALICIOUS

PDF

277.8 KB Created: 2020-08-06 21:38:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b9baabb56694da028ebced22d6eff724 SHA-1: 44b2ecca9c51737afa8634ed38f792652de44eb2 SHA-256: 433c80350ad1f8e94ed2137573423639467bd37e485d8667f94b05df018a696f
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=tenancy+agreement+form+in+nigeria+pdf'. The document body, though heavily obfuscated, also contains this URL. This indicates the primary goal is to redirect the user to a malicious site, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=tenancy+agreement+form+in+nigeria+pdf
    • http://files.lighthousejackson.com/uploads/1/3/1/3/131398242/xilibikaje-forirokilemo-nerujipab.pdf
    • http://nakelugaf.alexiajazz.com/uploads/1/3/0/7/130739385/9889197.pdf
    • http://files.debudgetheer.nl/uploads/1/3/1/4/131453081/fowap_tevezuxaloke.pdf
    • https://cdn.shopify.com/s/files/1/0429/3197/8403/files/fulepasum.pdf
    • https://cdn.shopify.com/s/files/1/0433/5442/3464/files/56104749121.pdf
    • https://cdn.shopify.com/s/files/1/0437/8217/6917/files/bitwise_operators_in_c.pdf
    • https://cdn.shopify.com/s/files/1/0431/1403/7397/files/20699197820.pdf
    • https://cdn.shopify.com/s/files/1/0430/5197/4818/files/field_attachment_report_sample.pdf
    • https://cdn.shopify.com/s/files/1/0433/4895/1194/files/64539665063.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/19194700937.pdf
    • https://cdn.shopify.com/s/files/1/0433/2912/6550/files/66295736028.pdf
    • https://cdn.shopify.com/s/files/1/0429/9656/4131/files/135328534.pdf
    • https://cdn.shopify.com/s/files/1/0433/8126/0440/files/80714801824.pdf
    • https://cdn.shopify.com/s/files/1/0440/9065/4870/files/44054823595.pdf
    • https://cdn.shopify.com/s/files/1/0428/3059/4204/files/26189242067.pdf
    • https://cdn.shopify.com/s/files/1/0437/8856/6677/files/best_to_word_converter_ocr.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003fd20.bin
304d28c7b2e87ad669695cbd97d73297741b60dba769362b4d759a1608861b01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3FD20 5316 bytes
font_01_sfnt_off00040f30.bin
51554ce018eb385e1655620851964ad0e6cd1cca86ed2efc35693c5647e1373b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40F30 18500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.