Malicious PDF — malware analysis report

Static analysis result for SHA-256 87a5384a827b9cfb…

MALICIOUS

PDF

33.6 KB Created: 2020-09-16 21:34:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0400ce1ff399c04c56d161ac2f79fba6 SHA-1: 9145088e9aa70818e615eda66d766032680b461e SHA-256: 87a5384a827b9cfbb23dbfc47cd556b1bcdab7f1527754ae60d8a4ef41defc55
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external links, suggesting a link farm or phishing attempt. The ML classifier also strongly indicated maliciousness. The embedded URL 'https://ttraff.me/pify?keyword=twinsburg+high+school+athletics' is a primary indicator of malicious redirection. The document body, though heavily obfuscated, contains this URL and other embedded links, reinforcing the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=twinsburg+high+school+athletics
    • http://files.energyworx2.co.uk/uploads/1/3/1/3/131398097/gijuwemoxapuw-pileduseja-dejoleve.pdf
    • http://files.graybeardsaz.com/uploads/1/3/1/6/131606208/gaxodowuk.pdf
    • http://xaxax.jeanetteluchesestudio.com/uploads/1/3/1/8/131858172/e0e7061fe786ca4.pdf
    • http://files.truthfulcomics.com/uploads/1/3/0/7/130775583/8273776.pdf
    • https://cdn.shopify.com/s/files/1/0436/2852/7779/files/angular_4_dynamic_form_validation_on_submit.pdf
    • https://cdn.shopify.com/s/files/1/0430/7543/6705/files/lapasogufalatewimisuv.pdf
    • https://cdn.shopify.com/s/files/1/0433/3810/4985/files/abbyy_transformer_3._0_full_crack.pdf
    • https://5f8c02b0-024f-4999-aabb-56e5325f35c9.filesusr.com/ugd/d43733_b2caa3cc3b2840e7bbbf80513e91bab3.pdf?index=true
    • https://55877602-bc44-484f-b78f-07d45f338d9a.filesusr.com/ugd/957c7b_8ee84fdabf0540fc93997a457b83fa6f.pdf?index=true
    • https://59c880dd-cadf-4b91-b6f4-cc2059e66460.filesusr.com/ugd/856cea_14bf297302ee4c579a7d336dd21be687.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000442a.bin
57f97bc9ea951ea73f854d84de4a449ac9c017b7ca92b6d9f8233c6185249c33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x442A 5240 bytes
font_01_sfnt_off0000560b.bin
2c86cba93237088f9bef754c6fd102dde088dd29d5749f6e002bd4b8692d22b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x560B 10512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.