Malicious PDF — malware analysis report

Static analysis result for SHA-256 9df2fb23cb3b6cd1…

MALICIOUS

PDF

41.1 KB Created: 2020-08-02 17:08:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04d48020265be6ab32097311d1a24e12 SHA-1: 2de8f6da46ae8065dc253f397aa8d3b486d7451d SHA-256: 9df2fb23cb3b6cd1f60e3958b35a3deedb0910b43f067a790ebbaebd1af57478
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, which is further supported by the presence of numerous embedded links. The document body, though heavily obfuscated, contains the URL that triggers the redirector. The primary malicious URL is https://ttraff.cc/pify?keyword=calculus+early+transcendentals+10th+edition+pdf+free, which is designed to lure users into downloading potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=calculus+early+transcendentals+10th+edition+pdf+free
    • http://wiwiz.fasdnetwork.org/uploads/1/3/1/4/131407067/9a89f36b0c02.pdf
    • http://files.musicfromthewestcoast.com/uploads/1/3/0/7/130739616/5952019.pdf
    • http://files.mondaymorningpositivity.com/uploads/1/3/2/7/132740594/ranan.pdf
    • https://cdn.shopify.com/s/files/1/0429/2568/6951/files/kafepapan.pdf
    • https://cdn.shopify.com/s/files/1/0431/6423/7992/files/waxudidejasobezavadalunod.pdf
    • https://cdn.shopify.com/s/files/1/0431/9143/5422/files/wejad.pdf
    • https://cdn.shopify.com/s/files/1/0429/7054/6335/files/4833833878.pdf
    • https://cdn.shopify.com/s/files/1/0427/4647/8759/files/tidusiferezegarufes.pdf
    • https://cdn.shopify.com/s/files/1/0428/0041/4883/files/30516797783.pdf
    • https://cdn.shopify.com/s/files/1/0427/5293/4044/files/29542342299.pdf
    • https://cdn.shopify.com/s/files/1/0432/5877/3662/files/58061102701.pdf
    • https://cdn.shopify.com/s/files/1/0428/2171/4079/files/95634128246.pdf
    • https://cdn.shopify.com/s/files/1/0438/3365/5446/files/bloons_tower_defense_3.pdf
    • https://cdn.shopify.com/s/files/1/0431/7052/9436/files/tapuresov.pdf
    • https://cdn.shopify.com/s/files/1/0432/8305/4757/files/46049890673.pdf
    • https://cdn.shopify.com/s/files/1/0439/3995/4856/files/kunaboliv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062a2.bin
c87625c337c2161dc4aed959a4c67e83155d3475cda0dcf154a8ef2d52484dd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62A2 5444 bytes
font_01_sfnt_off00007523.bin
2fd49ae4006121c5c9eeb3393ff30fa6f588b7c115c7c50b5871803a7e10a8b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7523 10044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.