Malicious PDF — malware analysis report

Static analysis result for SHA-256 99efcf415f966378…

MALICIOUS

PDF

42.3 KB Created: 2020-08-11 16:15:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4907375bd830068a1886044d9bd75fe SHA-1: 724a69f8ddc8265dc23ffa12a9ae9bacfc58719a SHA-256: 99efcf415f966378151dd55ea2ea0ed814106bd051c32bbed1087d8b22277c66
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, many pointing to benign Shopify domains, but one critical link directs to a known malicious redirector at ttraff.ru. The document body, though heavily obfuscated, contains the target URL and appears to be a lure for a recipe PDF. The ML classifier strongly supports the malicious verdict. The primary attack vector is likely a phishing attempt using a seemingly innocuous document to redirect users to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=easy+chocolate+cake+recipe+pdf
    • http://zujeluf.belsonproductions.com/uploads/1/3/1/3/131381464/dovepoted.pdf
    • http://files.piedmontgreencbd.com/uploads/1/3/0/7/130775866/fofobidarotuw.pdf
    • http://vikokuvas.misssuesfuturescholar.com/uploads/1/3/0/9/130968996/mavuguwisa.pdf
    • https://cdn.shopify.com/s/files/1/0430/2569/4883/files/biostar_handbook.pdf
    • https://cdn.shopify.com/s/files/1/0429/1382/4927/files/rpg_maker_mv_sprite_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0435/4965/5203/files/mefonolasigerulisa.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/44929456585.pdf
    • https://cdn.shopify.com/s/files/1/0431/0371/5481/files/14916692771.pdf
    • https://cdn.shopify.com/s/files/1/0429/6287/8618/files/67541040518.pdf
    • https://cdn.shopify.com/s/files/1/0439/0505/6920/files/30206944964.pdf
    • https://cdn.shopify.com/s/files/1/0429/5750/4668/files/programming_in_ansi_c_7th_edition_book.pdf
    • https://cdn.shopify.com/s/files/1/0439/1878/6728/files/butler_model.pdf
    • https://cdn.shopify.com/s/files/1/0428/7492/9308/files/33253226853.pdf
    • https://cdn.shopify.com/s/files/1/0428/6572/1503/files/fusexaxerezopipelexux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066ee.bin
a619092c1a2070d88ad9e62f7e9cc2570b759e81e4c1699e991f031c2face04b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66EE 5364 bytes
font_01_sfnt_off0000792a.bin
587d7a5c97af3593fa53d373a2fb1bb986f036ebfb357188b588f0f06c7122a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x792A 10424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.