Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0b37aa8c95183e3…

MALICIOUS

PDF

35.0 KB Created: 2020-08-03 16:30:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a5892941fc4aa86f17bb09d358bbed80 SHA-1: c1f95adc2524ccf850aa944b50ccc7b65f053092 SHA-256: c0b37aa8c95183e3aadb1bdfd4e2168a27bbd6c71063c1d7c484d94eebab19bd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as legitimate educational content, but it redirects to a known malicious infrastructure. The primary lure URL is 'https://ttraff.com/pify?keyword=islamic+art+and+geometric+design+activities+for+learning+pdf', which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL and other Shopify links, suggesting a social engineering tactic to drive traffic to malicious sites. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=islamic+art+and+geometric+design+activities+for+learning+pdf
    • http://files.diybuilds.ca/uploads/1/3/1/0/131069763/kejamenoxiwan_detumegusonuri_luweja_ximozasorevut.pdf
    • http://files.asaswallhangers.com/uploads/1/3/2/7/132712093/3206857.pdf
    • http://files.visualtommy.com/uploads/1/3/1/3/131379894/7772551.pdf
    • https://cdn.shopify.com/s/files/1/0428/8145/0151/files/jiwar.pdf
    • https://cdn.shopify.com/s/files/1/0430/0560/8099/files/beats_audio_drivers_windows_10.pdf
    • https://cdn.shopify.com/s/files/1/0429/3695/9139/files/rapen.pdf
    • https://cdn.shopify.com/s/files/1/0431/0161/8330/files/sawagajis.pdf
    • https://cdn.shopify.com/s/files/1/0430/4506/0762/files/dezoxetazipaj.pdf
    • https://cdn.shopify.com/s/files/1/0436/1401/1555/files/38147625890.pdf
    • https://cdn.shopify.com/s/files/1/0431/9238/5700/files/57745581316.pdf
    • https://cdn.shopify.com/s/files/1/0431/3920/3229/files/gidevutiwimuxitowunu.pdf
    • https://cdn.shopify.com/s/files/1/0427/6859/7158/files/rixafin.pdf
    • https://cdn.shopify.com/s/files/1/0431/2583/3882/files/arkansas_vehicle_bill_of_sale.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ab9.bin
a7d5f542e4601e1b289e8009bbb6647d1d6f3e88d5f330eaef487d635704541c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AB9 5472 bytes
font_01_sfnt_off00005d4a.bin
cad38b313b23485caf8c6662e0189465ca57c9393338ad4a19561d66f202fe24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D4A 9872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.