Malicious PDF — malware analysis report

Static analysis result for SHA-256 a11b4b9abe26e3c7…

MALICIOUS

PDF

34.9 KB Created: 2020-08-13 16:16:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b21594883dab0d7bd4975f0f7f73a22d SHA-1: f09db8554a38f99d2d25ba37acc9ab13ba27135c SHA-256: a11b4b9abe26e3c7452eef2884a595abe83be32de427313983123a5865aecc7c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/pify?keyword=libro+1000+bosquejos+para+predicadores+pdf'. This, combined with a high ML classifier score and numerous other embedded links, indicates a malicious intent to redirect the user. The document body, though heavily obfuscated, contains the same redirector URL and other PDF links, reinforcing the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=libro+1000+bosquejos+para+predicadores+pdf
    • http://lebepuk.stanagebunn.com/uploads/1/3/1/4/131407226/8390054.pdf
    • http://files.bcinteriorjazzfestival.com/uploads/1/3/1/3/131398533/gogevuminamarav.pdf
    • http://files.amickscreativedesigns.com/uploads/1/3/1/6/131606128/59b0fbd3016762.pdf
    • http://files.heavygrail.net/uploads/1/3/1/3/131380733/bitat.pdf
    • http://files.bertsheffieldparaequestrianrider.com/uploads/1/3/0/8/130873781/pegonadotitinup_konoxi_xusim.pdf
    • https://cdn.shopify.com/s/files/1/0427/6820/3942/files/20641569633.pdf
    • https://cdn.shopify.com/s/files/1/0432/6581/8789/files/lajurosakurisezafiweb.pdf
    • https://cdn.shopify.com/s/files/1/0437/8984/4637/files/amada_bending_machine.pdf
    • https://cdn.shopify.com/s/files/1/0434/1566/6840/files/30087649809.pdf
    • https://cdn.shopify.com/s/files/1/0432/6889/8966/files/46672217030.pdf
    • https://cdn.shopify.com/s/files/1/0437/7529/5640/files/708_296_4502.pdf
    • https://cdn.shopify.com/s/files/1/0428/5677/5839/files/jazajugixu.pdf
    • https://cdn.shopify.com/s/files/1/0434/1386/4602/files/futenubugiwe.pdf
    • https://cdn.shopify.com/s/files/1/0431/0574/7095/files/biblical_dream_interpretation_book.pdf
    • https://cdn.shopify.com/s/files/1/0438/5167/7856/files/35590870605.pdf
    • https://cdn.shopify.com/s/files/1/0432/5113/8715/files/gividi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a16.bin
dcc1321a46b3fee04cbedacdd9424c5a96bee781f7f476fd4462766d25b445c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A16 5596 bytes
font_01_sfnt_off00005d1f.bin
d5620a250b88c3e24111f7e7541b9b264a2810f983ce0e9a246d7d23e77ca615		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D1F 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.