Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e4acd073fde28eb…

MALICIOUS

PDF

46.7 KB Created: 2020-08-15 05:32:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad070bcd6d444334c4cbf1ba57d3afc2 SHA-1: 4e3ae0385ef4da302d6f365536fe0419d795c8c1 SHA-256: 4e4acd073fde28ebc285708fd7f76f88fc0f571939d8e98e1f492b0e26a104ec
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=berserk+manga+volume+3'. Additionally, it exhibits a PDF link farm behavior with numerous external links, many hosted on Shopify. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the malicious URL and other PDF links, suggesting a lure to external content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=berserk+manga+volume+3
    • http://files.westcoastmuddypawz.com/uploads/1/3/2/7/132740361/bc2c7e09f758ffa.pdf
    • http://files.swansonvideoservice.com/uploads/1/3/1/3/131381804/9691300.pdf
    • https://cdn.shopify.com/s/files/1/0434/1507/7022/files/runnable_vs_callable.pdf
    • https://cdn.shopify.com/s/files/1/0433/0212/5733/files/31937927.pdf
    • https://cdn.shopify.com/s/files/1/0432/5530/0249/files/73081535464.pdf
    • https://cdn.shopify.com/s/files/1/0431/0056/9766/files/42354507834.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/fezusagofetivori.pdf
    • https://cdn.shopify.com/s/files/1/0433/1149/7366/files/44848063883.pdf
    • https://cdn.shopify.com/s/files/1/0432/8344/7966/files/xijexemabanegali.pdf
    • https://cdn.shopify.com/s/files/1/0431/4382/3511/files/40251017433.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d2e.bin
b6568a03639cc0c5ace3dfbc3e69b7aedfcfd46c042ff66e7479098f4efe516b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D2E 3616 bytes
font_01_sfnt_off00006a0f.bin
fad7d488f7ae80b1150985610038d2251480b54d0ad818ccb42759695abb1277		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A0F 5340 bytes
font_02_sfnt_off00007c2f.bin
02e94fd7cc81f157ef8a2701baca120fd16d251ab933570a5146f561ee6e85a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C2F 15368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.