Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1243a398cc00368…

MALICIOUS

PDF

54.2 KB Created: 2020-08-16 22:13:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac1e87af712aa7f14e7c803149798a8c SHA-1: 5b048be06d8fdf751d2b2ba877b5c089fd60b4c9 SHA-256: a1243a398cc00368dff1d6bd97c99e38d4a61dc25392e1b30e936a51f862d12e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of links to external PDF files, many of which are hosted on domains that appear to be part of a link farm. One critical heuristic identified a link to a known malicious redirector, https://ttraff.cc/pify?keyword=define+outdoor+advertising+pdf, which is likely used to obscure the final malicious destination. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the same redirector URL, reinforcing its role in the attack chain.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=define+outdoor+advertising+pdf
    • http://files.corsetranch.com/uploads/1/3/1/0/131070888/tusawemevet-xumuzoju-penivoveg.pdf
    • http://gejonis.calgaryvet.com/uploads/1/3/1/4/131407158/ropadewerajumuvo.pdf
    • http://files.stannshohola.org/uploads/1/3/2/7/132710596/4193890.pdf
    • http://files.patokavalleycte.com/uploads/1/3/0/8/130873758/pawofutubotajeb-mazonobebazuli-lilenuterevor-xugalobepuz.pdf
    • https://cdn.shopify.com/s/files/1/0435/3762/9348/files/saninoninozatigixisodatu.pdf
    • https://cdn.shopify.com/s/files/1/0434/4204/5090/files/84261586285.pdf
    • https://cdn.shopify.com/s/files/1/0432/3426/3199/files/dimumipug.pdf
    • https://cdn.shopify.com/s/files/1/0431/6332/0471/files/29922835032.pdf
    • https://cdn.shopify.com/s/files/1/0428/6955/5356/files/maytag_bravos_xl_washer_manual.pdf
    • https://cdn.shopify.com/s/files/1/0440/6237/6088/files/ciao_adios_song_musicpleer.pdf
    • https://cdn.shopify.com/s/files/1/0431/3609/0269/files/30639987053.pdf
    • https://cdn.shopify.com/s/files/1/0432/5235/1144/files/last_call_movie_1991_free.pdf
    • https://cdn.shopify.com/s/files/1/0440/6090/1526/files/66163647479.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000095bf.bin
1819eddebfc3013fcdec8dd070ccf9fcc24afbea96af2991547a78fa4d90adf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95BF 5236 bytes
font_01_sfnt_off0000a7ab.bin
34b196cee6f7cff3379264268616a6b67c4be5eaaa3743f80ac30c84accc30e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7AB 10704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.