Malicious PDF — malware analysis report

Static analysis result for SHA-256 c01752c61a1aed62…

MALICIOUS

PDF

49.6 KB Created: 2020-08-20 04:49:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 05fd6d5e7a605a6db55192500f227547 SHA-1: e5511b10a857d8503563cd385d59da57208c45c2 SHA-256: c01752c61a1aed62680cfddb4c5043bd54f9a07dd19caef6ae124c241a52295b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with one identified as a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=android+api+27+notification', which is also flagged as a malicious redirector. The presence of a large PDF link farm suggests an attempt to manipulate search results or distribute malicious content through seemingly legitimate channels.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=android+api+27+notification
    • http://sijifelov.gileadlab.net/uploads/1/3/1/3/131379833/xamizefupirit.pdf
    • http://files.eseofmi.com/uploads/1/3/0/8/130813866/a53dc4e.pdf
    • http://kimapaxup.bbt-livonia.com/uploads/1/3/2/3/132303354/18d0dca34.pdf
    • http://files.criticalmassdancecompany.org/uploads/1/3/1/8/131857402/43d3d.pdf
    • https://cdn.shopify.com/s/files/1/0438/2746/2301/files/psychology_tenth_edition_david_g_myers.pdf
    • https://cdn.shopify.com/s/files/1/0433/4462/5822/files/90851522769.pdf
    • https://cdn.shopify.com/s/files/1/0430/2969/2577/files/97108369654.pdf
    • https://cdn.shopify.com/s/files/1/0438/0629/4176/files/25690507473.pdf
    • https://cdn.shopify.com/s/files/1/0461/3498/4857/files/davolumogupupaxado.pdf
    • https://cdn.shopify.com/s/files/1/0431/7360/9636/files/berlitz_japanese_phrasebook.pdf
    • https://cdn.shopify.com/s/files/1/0430/3713/0914/files/faluna.pdf
    • https://cdn.shopify.com/s/files/1/0437/9292/4821/files/nuzizaxasewonafagogu.pdf
    • https://cdn.shopify.com/s/files/1/0435/9376/0931/files/number_theory_solution.pdf
    • https://cdn.shopify.com/s/files/1/0433/7192/1571/files/basalt_rock_fibre_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/5224/3861/files/voxajonifipi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mozesuseb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007755.bin
856ee3bfecea9b9f394208dd6bfb481c0c990e074f97ea32250db64762cfaf75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7755 5140 bytes
font_01_sfnt_off000088e3.bin
dc3e5a250505ef3822f2851d25c679dcb89e45dcabf9129e583f6f4a214fb02e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88E3 15444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.