Malicious PDF — malware analysis report

Static analysis result for SHA-256 55019a6ff28e7e8d…

MALICIOUS

PDF

44.7 KB Created: 2020-08-18 20:46:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1fa605c97d62d18b7ead30d3b56bd3b SHA-1: c2a2ed7f9c3f643b88a4393580d815260239ac8e SHA-256: 55019a6ff28e7e8dc71963d8501a7179bfde5e14e032f5aa565c5d68fb582bc4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to Shopify-hosted PDFs, forming a link farm. The primary malicious URL, 'https://ttraff.ru/pify?keyword=sultan+bengali+movie++video', is identified as a redirector. This suggests a phishing or scam campaign designed to lure users through SEO-optimized content to a malicious destination. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=sultan+bengali+movie++video
    • http://files.buybacktheblockvip.org/uploads/1/3/2/6/132682093/2111636.pdf
    • https://cdn.shopify.com/s/files/1/0448/9006/3003/files/3d_reader_video.pdf
    • https://cdn.shopify.com/s/files/1/0429/3564/8409/files/32787239181.pdf
    • https://cdn.shopify.com/s/files/1/0434/3624/5142/files/brand_identity_template.pdf
    • https://cdn.shopify.com/s/files/1/0428/8669/3023/files/stats_modeling_the_world.pdf
    • https://cdn.shopify.com/s/files/1/0434/0357/5454/files/20711127192.pdf
    • https://cdn.shopify.com/s/files/1/0435/5653/6471/files/analyzing_climate_data_worksheet_answers.pdf
    • https://cdn.shopify.com/s/files/1/0437/0890/7688/files/40764069696.pdf
    • https://cdn.shopify.com/s/files/1/0432/9373/7118/files/fuxakujenibewan.pdf
    • https://cdn.shopify.com/s/files/1/0434/7471/4790/files/5718935380.pdf
    • https://cdn.shopify.com/s/files/1/0432/5949/4555/files/64498129776.pdf
    • https://cdn.shopify.com/s/files/1/0431/0741/8274/files/51767358507.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072bd.bin
a129ac5bcef2e14fa772a9d3fbacd1210f6443b3499979ce1cf37ee4b7a8225b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72BD 5172 bytes
font_01_sfnt_off0000844c.bin
0a931e82fb3d6f876eba27070c7aa6122407452d0859f4fa64bf52fe95d31684		 pdf-font-stream PDF embedded font (sfnt) at offset 0x844C 9852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.