Malicious PDF — malware analysis report

Static analysis result for SHA-256 550462dd70efc2cc…

MALICIOUS

PDF

48.0 KB Created: 2020-08-13 22:44:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab51a6a079b8584dd8a51910c86746c5 SHA-1: 4df6396c00202104068455ea687b5965f2dcbafb SHA-256: 550462dd70efc2ccb79051685f1a2520b97d43fb7b1c977b4cd9c9ba3f9dc8b3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, many pointing to external sites, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL https://ttraff.cc/pify?keyword=accident+report+writing+training, which is flagged as malicious. This suggests the document is designed to trick users into visiting malicious infrastructure under the guise of training materials.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=accident+report+writing+training
    • http://taboguvi.fevershowroom.com/uploads/1/3/1/1/131164250/xizoxavamebalepu.pdf
    • http://files.missenglandsclass.com/uploads/1/3/1/3/131378942/xupigubibiremow.pdf
    • http://files.massageinnelson.com/uploads/1/3/0/8/130813988/1636862.pdf
    • http://files.jensokolfitness.com/uploads/1/3/0/8/130814052/fuzuwabasiri-lujemekosanom-kevijutukazufat-kesuzezagirevu.pdf
    • http://gepiniv.savannahbrooklynharrell.com/uploads/1/3/1/6/131607600/konedajeletixiw.pdf
    • https://cdn.shopify.com/s/files/1/0438/1619/0112/files/bowflex_workout_plans.pdf
    • https://cdn.shopify.com/s/files/1/0455/4902/7493/files/8321421637.pdf
    • https://cdn.shopify.com/s/files/1/0434/7589/4437/files/12371080143.pdf
    • https://cdn.shopify.com/s/files/1/0435/3094/4671/files/87553941313.pdf
    • https://cdn.shopify.com/s/files/1/0435/6728/4387/files/62483222248.pdf
    • https://cdn.shopify.com/s/files/1/0429/5491/6003/files/depikolumubawa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/64541570927.pdf
    • https://cdn.shopify.com/s/files/1/0428/6958/8124/files/js_blob_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/6273/8592/files/american_english_file_level_5_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0432/9222/9787/files/fepejekilidivarovetadagef.pdf
    • https://cdn.shopify.com/s/files/1/0430/1701/1353/files/98530589359.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007650.bin
7fb5b213472faba612aed32215e80eea73783ff1ef3e3be3343328f42ead2721		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7650 5112 bytes
font_01_sfnt_off000087c7.bin
f4bd51b81f883ddd555de236bb5cd81d05251c33cdf3fe97d39dd64390487679		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87C7 13696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.