Malicious PDF — malware analysis report

Static analysis result for SHA-256 b565f6bbea83e8a5…

MALICIOUS

PDF

71.5 KB Created: 2020-08-25 00:29:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9d57022604c35c3e3eda1e2cdfc4d141 SHA-1: f5c4191a04e7ad663ea47b46b0ecd390e5b92aab SHA-256: b565f6bbea83e8a59601d1e61430dfb48bd361280a9023d7e7172e027db8bfde
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external PDF links, suggesting a link farm for SEO manipulation or to host malicious content. The primary malicious URL identified is `https://ttraff.cc/pify?keyword=anime+twist+er`, which is likely a redirector. The document body contains garbled text but also includes the malicious URL, reinforcing its presence. The file's purpose appears to be to lure users into clicking these links, potentially leading to phishing sites or malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=anime+twist+er
    • http://files.focusworksedc.com/uploads/1/3/1/3/131384432/932e923c40d4d5e.pdf
    • https://cdn.shopify.com/s/files/1/0437/9734/8514/files/ccpa_california.pdf
    • https://cdn.shopify.com/s/files/1/0431/8288/2980/files/90047150780.pdf
    • https://cdn.shopify.com/s/files/1/0435/2878/1973/files/tisetapopebipiretajepidot.pdf
    • https://cdn.shopify.com/s/files/1/0431/8658/5759/files/21715647232.pdf
    • https://cdn.shopify.com/s/files/1/0433/9869/3022/files/fulavalelununupop.pdf
    • https://cdn.shopify.com/s/files/1/0438/3830/8512/files/83153752656.pdf
    • https://cdn.shopify.com/s/files/1/0431/1721/5905/files/romefemusadowebigi.pdf
    • https://cdn.shopify.com/s/files/1/0433/5196/5855/files/binary_file_to.pdf
    • https://cdn.shopify.com/s/files/1/0428/1214/5823/files/66805070523.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009d72.bin
90b71f40dc421772ad9d01b7e24a4d66f0a75cc88ec80213524af038f223bf7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D72 20580 bytes
font_01_sfnt_off0000de08.bin
072d6fc6d4d3085e3b35e811851d35804f6d076adc4e97591a775e304a867ac0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE08 4672 bytes
font_02_sfnt_off0000edde.bin
e28545a7fecba9eb1107ad0f7168627efe63b526886cf31811d39a5bfc7ce4a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDDE 10512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.