Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bb7e46547be81b3…

MALICIOUS

PDF

44.1 KB Created: 2020-08-14 00:31:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a4368268ac8fac2edff22395b8b4a27b SHA-1: a40e3120935591e535a7adcd53e6764aff7e72d7 SHA-256: 7bb7e46547be81b3bd9bbfb552c308925c4552f40c41e097e02eb66b9ac75898
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a significant number of embedded links, with one pointing to a known malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting a link farm or SEO manipulation tactic. The ML classifier also flagged this PDF with high confidence. The presence of the URL 'https://ttraff.com/pify?keyword=doctor+babu+doctor+babu+dj+song' suggests a potential lure or redirection mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=doctor+babu+doctor+babu+dj+song
    • http://jukobur.sciencehillbaseball.com/uploads/1/3/0/8/130874429/ruvix_zovizuza_dimuxexitase_wovivi.pdf
    • http://files.mrthaler.net/uploads/1/3/0/7/130776779/4600319.pdf
    • http://sewuwepi.glammeshops.com/uploads/1/3/1/0/131069839/4703593.pdf
    • https://cdn.shopify.com/s/files/1/0434/3313/2184/files/epson_perfection_v500_driver.pdf
    • https://cdn.shopify.com/s/files/1/0429/9600/7065/files/91543658442.pdf
    • https://cdn.shopify.com/s/files/1/0432/9422/8630/files/apsale_net_click_115667_9571_art.pdf
    • https://cdn.shopify.com/s/files/1/0431/4277/4938/files/16926941851.pdf
    • https://cdn.shopify.com/s/files/1/0428/0962/2691/files/23042110936.pdf
    • https://cdn.shopify.com/s/files/1/0432/2610/3971/files/sonojamotobe.pdf
    • https://cdn.shopify.com/s/files/1/0428/2338/5247/files/praktijkboek_bouwbesluit.pdf
    • https://cdn.shopify.com/s/files/1/0432/7201/1941/files/16493664935.pdf
    • https://cdn.shopify.com/s/files/1/0440/7492/6230/files/84487352096.pdf
    • https://cdn.shopify.com/s/files/1/0429/7405/2503/files/zawojorikomuv.pdf
    • https://cdn.shopify.com/s/files/1/0443/4313/2316/files/candra_malik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000667a.bin
cadd0370fa0464e85e1891d39ca29bbeda22a34f9ccae032d221870fb91e0302		 pdf-font-stream PDF embedded font (sfnt) at offset 0x667A 5292 bytes
font_01_sfnt_off00007885.bin
c62099c1e5c3d681f2f74fc1a7fd8e1f9e9065354b810c70895da07bb648ae1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7885 13904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.