Malicious PDF — malware analysis report

Static analysis result for SHA-256 accbe2f6ef7f04cf…

MALICIOUS

PDF

51.9 KB Created: 2020-09-26 10:02:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 000f2d1ed236e6776aadec252d4b5aa3 SHA-1: 52fd18a21fa13e72ec0f6abf5f7ade03be1a4ead SHA-256: accbe2f6ef7f04cf0c6535833c1e08cf20d7df89d7147f89d9d51fb9cad186ec
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs, with a critical heuristic firing for a PDF link farm. One of the primary URLs, 'https://ttraff.ru/pify?keyword=altar+of+zeus+hitler', is flagged as malicious. The document body, though heavily obfuscated, also contains this malicious URL, suggesting a lure to external content. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=altar+of+zeus+hitler
    • https://cdn.shopify.com/s/files/1/0437/7870/3518/files/wizard_5e_character_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0436/3304/9753/files/bovaruboli.pdf
    • https://cdn.shopify.com/s/files/1/0436/6126/3001/files/adobe_indesign_cs6_training_manual.pdf
    • https://cdn.shopify.com/s/files/1/0439/3458/0891/files/27537891271.pdf
    • https://cdn.shopify.com/s/files/1/0435/3599/0936/files/wajazizagefamodubisupem.pdf
    • https://cdn.shopify.com/s/files/1/0430/2517/0595/files/74627543088.pdf
    • https://cdn.shopify.com/s/files/1/0428/8544/7833/files/zubipunumemirume.pdf
    • https://59f384c5-0c55-447e-a1e7-34949345cdb6.filesusr.com/ugd/3ed902_9de49b7905c044c7b1f96be166446500.pdf?index=true
    • https://e6c08438-2d43-436f-a798-e093f26af725.filesusr.com/ugd/6cf804_cee94dc1d11140d4b31ff392c6aa1062.pdf?index=true
    • https://201853a5-c21f-4f40-80a0-3befe9e66728.filesusr.com/ugd/6cfc61_91effc247ea244ecb3e989d8010d5182.pdf?index=true
    • https://6486f143-0203-4c8b-a36e-6101070c174f.filesusr.com/ugd/99afdc_82e7408a58b04edc99cf4a510fdc47ef.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008ede.bin
0b58bb2a0b688cc24ee052b171e9c9fcc59812341a73a1f296741664aaa87e56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EDE 4892 bytes
font_01_sfnt_off00009f87.bin
023f09525d2e5089a29d07f5dc7aef9c789989a21345395230d85a2ba5103590		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F87 10448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.