Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1a632041811c47c…

MALICIOUS

PDF

45.1 KB Created: 2020-08-16 18:31:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0659d140aec1b23fe55d6b3ec1721b26 SHA-1: 6aff0accfe79870a81f8f714b4434b08cc5a0a54 SHA-256: b1a632041811c47c0d53a61ed766befb4e3be88bb93f55681e2cde1ba0021d40
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link that masquerades as a CV template download. This link, https://ttraff.ru/pify?keyword=modern+cv+template+word+free+.+docx, is designed to lead users to potentially harmful content. The document also contains a large number of external links, many pointing to Shopify domains, which is characteristic of SEO link farm techniques used to obscure malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=modern+cv+template+word+free+.+docx
    • http://files.christmovementinternational.org/uploads/1/3/1/3/131380583/zujirug.pdf
    • http://zoxis.americanawningandsign.com/uploads/1/3/1/0/131070420/1698988.pdf
    • https://cdn.shopify.com/s/files/1/0431/6856/3355/files/84125889523.pdf
    • https://cdn.shopify.com/s/files/1/0429/9004/3285/files/40379723904.pdf
    • https://cdn.shopify.com/s/files/1/0432/3383/7219/files/49312050841.pdf
    • https://cdn.shopify.com/s/files/1/0428/8462/8633/files/95835061475.pdf
    • https://cdn.shopify.com/s/files/1/0431/0627/1394/files/website_design_proposal_sample.pdf
    • https://cdn.shopify.com/s/files/1/0435/5883/0231/files/viscosity_test_of_bitumen.pdf
    • https://cdn.shopify.com/s/files/1/0435/5486/5320/files/brevet_results_2020.pdf
    • https://cdn.shopify.com/s/files/1/0433/9371/2286/files/54992834764.pdf
    • https://cdn.shopify.com/s/files/1/0433/7985/1414/files/midigijumufemagokorovasof.pdf
    • https://cdn.shopify.com/s/files/1/0437/9544/7970/files/78424624352.pdf
    • https://cdn.shopify.com/s/files/1/0434/4378/1792/files/zefubamageginegiwikomefip.pdf
    • https://cdn.shopify.com/s/files/1/0429/5091/8310/files/messenger_apk_latest_version_2018.pdf
    • https://cdn.shopify.com/s/files/1/0432/8026/9477/files/21862051777.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/demesudixagivok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071d6.bin
0e21982dd1a4f1f87edb671d0dfc331869579eee6a3a2a38169d51e2bd063696		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71D6 5380 bytes
font_01_sfnt_off0000842e.bin
30f8d54c28924f255b2b41205cea951cd009fbbe2d177cb2c35d6f5c2ea6c3ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x842E 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.