Malicious PDF — malware analysis report

Static analysis result for SHA-256 9166a51b61d7be51…

MALICIOUS

PDF

43.7 KB Created: 2020-08-10 00:05:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c16457258f4892361a16479f892e8512 SHA-1: 6c474a3862d32b886160849bc7ccbdba646b12e1 SHA-256: 9166a51b61d7be511193b3bdd9605e5cdec3ac8b9aae49b6ce56283991be1ea5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, with one specifically pointing to a known malicious redirector at `https://ttraff.cc/pify?keyword=practice+act+free+pdf`. This indicates the document's primary purpose is to redirect users to malicious infrastructure. The presence of numerous Shopify links, while many are confirmed benign, suggests an attempt to blend in with legitimate content while masking the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=practice+act+free+pdf
    • http://files.kofc3570.org/uploads/1/3/2/8/132814071/keweni.pdf
    • http://files.phyzarre.com/uploads/1/3/0/7/130776272/6886123.pdf
    • http://files.reedblocks.com/uploads/1/3/1/4/131408581/xuzegi_lesubanurir_lopupukurumafaj.pdf
    • http://gumedikos.ntapartners.com/uploads/1/3/1/3/131384169/6908750.pdf
    • http://files.soundsandmotionhoughton.com/uploads/1/3/1/4/131453214/7821255.pdf
    • https://cdn.shopify.com/s/files/1/0434/5249/8070/files/sidemen_book.pdf
    • https://cdn.shopify.com/s/files/1/0431/1020/3556/files/wowibunilolidogawolaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/8716/7645/files/matthew_bible_quiz_questions_and_answers_in_tamil.pdf
    • https://cdn.shopify.com/s/files/1/0432/0346/1283/files/beps_action_plan_1_final_report.pdf
    • https://cdn.shopify.com/s/files/1/0431/7613/2774/files/nasokuduvuxamotu.pdf
    • https://cdn.shopify.com/s/files/1/0440/2964/0854/files/upsc_history_books_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0438/5413/5456/files/genadabepepomuri.pdf
    • https://cdn.shopify.com/s/files/1/0450/3427/4966/files/wuvoposepunojajenele.pdf
    • https://cdn.shopify.com/s/files/1/0431/1223/5159/files/wakanunob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e0e.bin
73bf5d6b470a4515c0f348853da9c1ecb3448f59470f80089b9ffdff3892c574		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E0E 4940 bytes
font_01_sfnt_off00007eed.bin
ecc6e2088eb973fdd10e62e1a3ab0b1d6003495bc2ccf3f17c2fd003e70437b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EED 10388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.