Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d0967130d313ea8…

MALICIOUS

PDF

44.6 KB Created: 2020-07-29 18:38:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bba606be7a46c504f5612b3ab03fd050 SHA-1: d53c439dcb88eb9e78643153cd87934e90b97ca4 SHA-256: 4d0967130d313ea81dca9ee9f29ff2762f1410dc0ed55b92021f4906af866254
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a critical heuristic for linking to known malicious redirector infrastructure, specifically 'ttraff.cc'. Additionally, it contains a mass of external PDF links, likely for SEO manipulation or to distribute further malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted, and the document body was heavily obfuscated, preventing a deeper analysis of the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=apostle+johnson+suleman+biography+pdf
    • http://files.jqacademy.org/uploads/1/3/2/3/132303126/tobejesojes_fatiji_pusaxuwadila.pdf
    • http://files.eslmyway.com/uploads/1/3/2/8/132814427/320354.pdf
    • http://files.forsythsfrostedfancies.com/uploads/1/3/1/3/131380337/kipunukolorixiligam.pdf
    • http://files.wagndog.com/uploads/1/3/2/6/132681502/temafewosoxukad_dazibu.pdf
    • http://files.jqacademy.org/uploa
    • https://cdn.shopify.com/s/files/1/0428/2161/5775/files/bozidim.pdf
    • https://cdn.shopify.com/s/files/1/0428/1312/8867/files/lufebarovivefosobupagug.pdf
    • https://cdn.shopify.com/s/files/1/0429/6874/4087/files/risumamaduzozivovijaba.pdf
    • https://cdn.shopify.com/s/files/1/0437/2873/2314/files/357875875.pdf
    • https://cdn.shopify.com/s/files/1/0428/3462/4679/files/92011512307.pdf
    • https://cdn.shopify.com/s/files/1/0429/8915/8554/files/tilupelanitewemaxizu.pdf
    • https://cdn.shopify.com/s/files/1/0430/6717/9165/files/powugox.pdf
    • https://cdn.shopify.com/s/files/1/0427/9789/1751/files/4277724155.pdf
    • https://cdn.shopify.com/s/files/1/0429/7896/7703/files/dubixoxinixuleburemote.pdf
    • https://cdn.shopify.com/s/files/1/0427/6381/3020/files/xuronebadavulazalo.pdf
    • https://cdn.shopify.com/s/files/1/0429/8794/6133/files/fakibubawozapowitefiwuk.pdf
    • https://cdn.shopify.com/s/files/1/0437/3970/9589/files/18174051833.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f94.bin
cdad6ecf25a1c58a93f7845e0c2781147573f0b56e888c8f10437354b453f35d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F94 5644 bytes
font_01_sfnt_off00008298.bin
4d1271eae091f892074dfb6610d5655f6361423e1eec91d99cfba8a3789022b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8298 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.