Malicious PDF — malware analysis report

Static analysis result for SHA-256 a56f191659bab056…

MALICIOUS

PDF

45.1 KB Created: 2020-09-01 07:10:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5298065c3d99871a12c0bd04b996309 SHA-1: 4fc26820433babb0d0eba1c8bbaf0ac71462dade SHA-256: a56f191659bab05600abf5facd21758c38c378a92d52530e2616143cd8dd303b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=accounting+standards+24+pdf'. This indicates the document's primary purpose is to redirect users to potentially harmful content. Additionally, the PDF exhibits characteristics of a link farm, embedding numerous external links, with the highest reputation link being to 'https://cdn.shopify.com/s/files/1/0434/0813/0197/files/87104715077.pdf'. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=accounting+standards+24+pdf
    • https://cdn.shopify.com/s/files/1/0434/0813/0197/files/87104715077.pdf
    • https://cdn.shopify.com/s/files/1/0430/6790/0061/files/pukogemibegibununuser.pdf
    • https://cdn.shopify.com/s/files/1/0432/9878/3382/files/85223765494.pdf
    • https://cdn.shopify.com/s/files/1/0429/3486/1987/files/juxabapi.pdf
    • https://cdn.shopify.com/s/files/1/0462/9138/6529/files/kijukazepogonifugunenux.pdf
    • https://cdn.shopify.com/s/files/1/0437/7214/9921/files/android_uk_tv_apps_free.pdf
    • https://static.usrfiles.com/ugd/3f80ec_63a66f0f6af14409a3a4fffb351f3e15.pdf
    • https://static.usrfiles.com/ugd/b8c837_6f9bac77e7bd439588c58f39a9531f0f.pdf
    • https://static.usrfiles.com/ugd/57c819_db69ce8a2b1c43d5a38db16963376185.pdf
    • https://static.usrfiles.com/ugd/1c90dc_c2bb974241ac4ef48156d0d70f93795d.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65107231385.pdf
    • https://cdn.shopify.com/s/files/1/0431/1813/3405/files/natural_language_processing.pdf
    • https://cdn.shopify.com/s/files/1/0440/1476/4190/files/57394405003.pdf
    • https://cdn.shopify.com/s/files/1/0433/1805/0984/files/weramijasafogu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007381.bin
df4163a3b1b6d051449c7e3c336aeb7f999c605ab7db1e8d49fc207bd0329f04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7381 5500 bytes
font_01_sfnt_off00008655.bin
dd0eb81b5c71952bfd138ab764bcc06eb9c61eae67a99aa8e66e430f1e3cdb36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8655 9784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.