Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a8c7b746a593cba…

MALICIOUS

PDF

42.4 KB Created: 2020-08-17 01:05:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7ed7ada08589f78a3f7d56f7f374d50 SHA-1: 0b9131ae9ba474f6aff2fce04cc07911bb72f366 SHA-256: 9a8c7b746a593cbabfede8438bbaae0ec748349326d3f56d147e23588cf41b59
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass external link farm, with a critical heuristic firing for a malicious redirector link. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=arvind+akela+new+song+2019', which is likely intended to deceive the user into clicking it. This suggests a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=arvind+akela+new+song+2019
    • http://files.morrismindfulness.com/uploads/1/3/1/0/131071043/43e7a4c989b.pdf
    • http://renur.walcoleather.com/uploads/1/3/1/4/131437462/9a468.pdf
    • http://bopivexin.revolution-by-distribution.com/uploads/1/3/2/7/132710657/joleraluxupagegasere.pdf
    • https://cdn.shopify.com/s/files/1/0433/4790/2622/files/gurorat.pdf
    • https://cdn.shopify.com/s/files/1/0434/6180/4197/files/27720896050.pdf
    • https://cdn.shopify.com/s/files/1/0438/8379/0491/files/kuvexokolum.pdf
    • https://cdn.shopify.com/s/files/1/0430/0842/6143/files/45422235021.pdf
    • https://cdn.shopify.com/s/files/1/0431/2865/1938/files/hinduism_and_buddhism_venn_diagram.pdf
    • https://cdn.shopify.com/s/files/1/0435/3287/7976/files/kalanchoe_gastonis_bonnieri.pdf
    • https://cdn.shopify.com/s/files/1/0429/5386/7427/files/woropobupu.pdf
    • https://cdn.shopify.com/s/files/1/0437/6661/2130/files/renilekurumite.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004276.bin
a23d6b81a7f574dc530a3e5e966ff75f2dc674e3175554b3c34dece30ea005da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4276 5680 bytes
font_01_sfnt_off000055f3.bin
d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55F3 3720 bytes
font_02_sfnt_off00006156.bin
c7785c8a91bc7103b871891b889512aba60b716e68fc07e3809139158893345b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6156 10132 bytes
font_03_sfnt_off00008417.bin
b84726d9c581fe8e4d33c06c1e7b925b8a2e129ba5babe8f92a2bbfa4ee72eb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8417 7088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.