Malicious PDF — malware analysis report

Static analysis result for SHA-256 90d3605be0419971…

MALICIOUS

PDF

40.4 KB Created: 2020-08-19 01:07:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a99fa9222d2564836573b99cb649cee7 SHA-1: c297058447c596a3bb1e0e9671edc90e327e5f44 SHA-256: 90d3605be04199710a083aa94034e65c288b5e85f1be5aa69c4fc7c0a1161560
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=hello+baby+monitor+user+guide'. This URL is embedded within the document body, suggesting a social engineering lure disguised as a user guide. The presence of a large number of external PDF links, many hosted on Shopify, further indicates a link farm or redirection strategy. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=hello+baby+monitor+user+guide
    • http://files.tif.design/uploads/1/3/0/7/130739570/pejufikijid.pdf
    • http://files.speedwayandroadracehistory.com/uploads/1/3/1/0/131070309/9782484.pdf
    • http://files.deannaradaj.com/uploads/1/3/0/9/130969354/fulututowodenimuto.pdf
    • http://files.cedarridgeupnorth.com/uploads/1/3/1/3/131384127/dagipikuju_tuwax.pdf
    • http://files.bbeautyco.com/uploads/1/3/1/3/131384573/dagoxe.pdf
    • https://cdn.shopify.com/s/files/1/0433/7431/3621/files/4647834884.pdf
    • https://cdn.shopify.com/s/files/1/0431/2468/7014/files/tiff_file_to.pdf
    • https://cdn.shopify.com/s/files/1/0430/3110/1603/files/15785908649.pdf
    • https://cdn.shopify.com/s/files/1/0431/4952/5149/files/fundamental_managerial_accounting_concepts.pdf
    • https://cdn.shopify.com/s/files/1/0432/3681/9104/files/zijon.pdf
    • https://cdn.shopify.com/s/files/1/0430/1471/7597/files/zopakexis.pdf
    • https://cdn.shopify.com/s/files/1/0433/9122/1911/files/biological_product_deviation_report_definition.pdf
    • https://cdn.shopify.com/s/files/1/0437/3191/0821/files/zagudurivamaduvoduk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006078.bin
d9cc3f5e6df9fb4ce6ae6cf7837c2a80eb650aeeb561efdf397fe4ed448aa5e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6078 5348 bytes
font_01_sfnt_off00007287.bin
f728c86a2ce01e8e568a6e49a0593ee2b40c8d7c448a858217ec1fe6fed7abe7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7287 10144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.