Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f6c647733461b40…

MALICIOUS

PDF

45.3 KB Created: 2020-08-09 08:37:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b867ab376d8482cea0ce0027f8006b39 SHA-1: 2d5eef48db8bc5eb992de6132eb3ad00e430c2ff SHA-256: 7f6c647733461b404b9909af1be9f10b73e24c4e9c332d012710f10be0333167
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, a common tactic for SEO spam and phishing. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is designed to obscure the final destination. The document body, though heavily obfuscated, contains text related to programming and URLs, reinforcing the lure. The ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=learn+ruby+programming+language+pdf
    • http://files.fishytushy.net/uploads/1/3/2/8/132814906/6c9dff705.pdf
    • http://files.renewedreloved.com/uploads/1/3/1/4/131437085/58277453b708a40.pdf
    • http://files.crazycraftcubby.com/uploads/1/3/2/7/132741385/551906.pdf
    • https://cdn.shopify.com/s/files/1/0427/5830/8006/files/firozovavalalagilobefera.pdf
    • https://cdn.shopify.com/s/files/1/0435/0833/4744/files/11210946603.pdf
    • https://cdn.shopify.com/s/files/1/0428/8564/4447/files/38608032825.pdf
    • https://cdn.shopify.com/s/files/1/0433/9790/6589/files/bivotoximafojogemazal.pdf
    • https://cdn.shopify.com/s/files/1/0434/9073/8328/files/kikegosis.pdf
    • https://cdn.shopify.com/s/files/1/0431/5804/4827/files/byu_independent_study_classes.pdf
    • https://cdn.shopify.com/s/files/1/0431/1020/3556/files/historia_del_peru_jorge_basadre.pdf
    • https://cdn.shopify.com/s/files/1/0433/2388/3688/files/94288219793.pdf
    • https://cdn.shopify.com/s/files/1/0433/6576/1176/files/jibutanojopoxejiwo.pdf
    • https://cdn.shopify.com/s/files/1/0436/1574/8253/files/pebonuzi.pdf
    • https://cdn.shopify.com/s/files/1/0429/1277/6351/files/78625364880.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mojarugalemidim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072ea.bin
dc1cccff6edf61a506c966143845a55c2c2df0c0da9ed7ae0c606b41c41e8ae9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72EA 5368 bytes
font_01_sfnt_off00008525.bin
3f60f924be3d9efdecb06da08b9cad0e0c05a42a5a7b29037f23154156917f95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8525 10320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.