Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a44152919ce8cbf…

MALICIOUS

PDF

59.1 KB Created: 2020-08-02 19:20:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b093d882bdd0d7b859d63d6173fc817c SHA-1: 6ae096f974bf5d63e249140f7702f22d413efcc6 SHA-256: 4a44152919ce8cbfb5d8545d92034095ebb8197430c744871886b0630167d9df
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=mocha+js+tutorial'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links, many hosted on Shopify. The document body, though heavily obfuscated, contains the same URL, suggesting it's a lure to a malicious site. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=mocha+js+tutorial
    • http://vavofa.societyandwildlife.com/uploads/1/3/1/4/131452922/4880159.pdf
    • http://files.dysonhouselr.com/uploads/1/3/1/3/131379830/636c058a.pdf
    • http://files.jenniferasbell.com/uploads/1/3/0/7/130775109/lefagivakaxalitaju.pdf
    • https://cdn.shopify.com/s/files/1/0440/2737/9877/files/jigegaboxip.pdf
    • https://cdn.shopify.com/s/files/1/0432/0083/9841/files/wasar.pdf
    • https://cdn.shopify.com/s/files/1/0429/4072/7463/files/zigegipe.pdf
    • https://cdn.shopify.com/s/files/1/0431/0253/5840/files/ratowipavavifekuj.pdf
    • https://cdn.shopify.com/s/files/1/0430/0436/2906/files/10798489223.pdf
    • https://cdn.shopify.com/s/files/1/0432/1692/8923/files/harrisons_internal_medicine.pdf
    • https://cdn.shopify.com/s/files/1/0435/3005/9940/files/gutuzagibugonevipezava.pdf
    • https://cdn.shopify.com/s/files/1/0434/2117/1864/files/30333846219.pdf
    • https://cdn.shopify.com/s/files/1/0431/6289/4485/files/31443074093.pdf
    • https://cdn.shopify.com/s/files/1/0431/8547/1656/files/27271059105.pdf
    • https://cdn.shopify.com/s/files/1/0429/3227/3319/files/69563151685.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009e19.bin
4da6163f6ad1e2436ec5332afa1af9824d6683915bf468d3917a0f1f0b397021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E19 4968 bytes
font_01_sfnt_off0000af06.bin
1bb9e513fff588354ede890485d0f8a0a4eeea8440dedd7abdb81e98d4caf81a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF06 15432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.