Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3277fafbabb67c8…

MALICIOUS

PDF

350.3 KB Created: 2020-08-03 14:20:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b307630f1cab9830b3b7e6160f18cfae SHA-1: 1c87233be5b08f689ceb7bb7a29d662240cb8bc9 SHA-256: a3277fafbabb67c83d84064535bbea8c3a48c8826115b4770bb8f2da203c5f17
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating it links to a known malicious redirector. The embedded URL, 'https://ttraff.com/pify?keyword=manifesting+the+gifts+of+the+holy+spirit+pdf', is directly associated with this malicious activity. The document body, though heavily obfuscated, contains references to the URL and the topic of spiritual gifts, suggesting a social engineering lure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=manifesting+the+gifts+of+the+holy+spirit+pdf
    • http://files.mariebanville.ca/uploads/1/3/2/8/132815004/87eaf550.pdf
    • http://files.mountainlaureltennisclub.com/uploads/1/3/0/8/130814390/4a190a9e95.pdf
    • http://files.keeptheflame.net/uploads/1/3/1/3/131380953/sazulipumakesapaw.pdf
    • http://files.mountainharvestfarmllc.com/uploads/1/3/0/7/130775803/tezusufowemesir.pdf
    • https://cdn.shopify.com/s/files/1/0431/6191/1458/files/zikivoja.pdf
    • https://cdn.shopify.com/s/files/1/0431/8461/9680/files/1952802213.pdf
    • https://cdn.shopify.com/s/files/1/0438/6455/5675/files/zaxajujuxeg.pdf
    • https://cdn.shopify.com/s/files/1/0438/1271/6701/files/subuta.pdf
    • https://cdn.shopify.com/s/files/1/0431/8714/2818/files/bukisulukotil.pdf
    • https://cdn.shopify.com/s/files/1/0430/7232/3737/files/how_to_open_a._db_file.pdf
    • https://cdn.shopify.com/s/files/1/0431/9854/6084/files/laxojoxodadar.pdf
    • https://cdn.shopify.com/s/files/1/0427/8750/4294/files/womofokutazadesaretuf.pdf
    • https://cdn.shopify.com/s/files/1/0436/2698/7680/files/20411818479.pdf
    • https://cdn.shopify.com/s/files/1/0430/9748/9572/files/45389935719.pdf
    • https://cdn.shopify.com/s/files/1/0437/6441/6661/files/wet_hands_piano.pdf
    • https://cdn.shopify.com/s/files/1/0434/8113/7316/files/fujorifamokizosonurukoti.pdf
    • https://cdn.shopify.com/s/files/1/0429/5468/6630/files/58072849337.pdf
    • https://cdn.shopify.com/s/files/1/0434/5213/7622/files/linux_combine.pdf
    • https://cdn.shopify.com/s/files/1/0428/9409/8598/files/64710891142.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00053373.bin
ff0fe1bc07b75bb10fd171ae73a9f6913b18758a49706cb45ef20672cefb83ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53373 5412 bytes
font_01_sfnt_off000545ec.bin
fa0ef569770b20c6fcf647ba6a8d40fb2084008444090b7317bc6872e79d6e27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x545EC 10448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.