Malicious PDF — malware analysis report

Static analysis result for SHA-256 443204dd7fff143e…

MALICIOUS

PDF

41.6 KB Created: 2020-08-12 02:39:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ba2e2a5c74650de509718d61bbfbb113 SHA-1: 857f498ba3e53eac7beba2d0674a26b6cace0e55 SHA-256: 443204dd7fff143ed8135759c3e2ba298407d3c94332ff6a2bd7f0036208efed
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=basic+electrical+engineering+important+questions+pdf'. This indicates the document's primary purpose is to redirect users to malicious sites. The presence of a large number of external PDF links, many pointing to Shopify domains, suggests a link farm or SEO poisoning tactic to improve search engine ranking for malicious content. No scripts were extracted, but the PDF structure and embedded links strongly suggest a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=basic+electrical+engineering+important+questions+pdf
    • http://files.circusgreg.com/uploads/1/3/1/3/131381681/metuzike-tupawoliv-kapemun-nekilojavi.pdf
    • http://torapa.varsitystitchshop.com/uploads/1/3/1/4/131407233/0f01b24.pdf
    • http://files.portiaresnick.com/uploads/1/3/1/4/131453990/gezemilevupa-texuxidireme-tomarudok-zesedo.pdf
    • https://cdn.shopify.com/s/files/1/0446/6167/0051/files/sbi_group_personal_accident_insurance_policy.pdf
    • https://cdn.shopify.com/s/files/1/0434/8782/1984/files/82079903763.pdf
    • https://cdn.shopify.com/s/files/1/0429/2182/0313/files/tunit.pdf
    • https://cdn.shopify.com/s/files/1/0437/3449/9489/files/fitanelafisofudadutuweb.pdf
    • https://cdn.shopify.com/s/files/1/0434/9663/6580/files/surviving_sepsis_guidelines_2020.pdf
    • https://cdn.shopify.com/s/files/1/0431/4500/3169/files/9619500626.pdf
    • https://cdn.shopify.com/s/files/1/0438/8959/0427/files/estudio_sobre_la_armadura_de_dios.pdf
    • https://cdn.shopify.com/s/files/1/0433/0523/8688/files/wojupinunukedika.pdf
    • https://cdn.shopify.com/s/files/1/0430/2520/3354/files/tared.pdf
    • https://cdn.shopify.com/s/files/1/0429/3391/1705/files/gumakodisitob.pdf
    • https://cdn.shopify.com/s/files/1/0432/1175/1579/files/39459699435.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061ab.bin
4cc05cfc5b9b1018e1a801b3a11031cbcf25e4e534542202ebe6acabfa2ed8ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61AB 5648 bytes
font_01_sfnt_off000074b4.bin
625b08931d936d4ec27422b65d2f0fdfb4f4c9b77de0120f621d6a718aded1b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74B4 10868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.