Malicious PDF — malware analysis report

Static analysis result for SHA-256 c27ac3cbb826d2e5…

MALICIOUS

PDF

47.4 KB Created: 2020-08-22 16:46:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00f241a3b37c0afc6c17926136074157 SHA-1: f5b9f8d6be6a5e960e0e1fc18800d5d39cd9d731 SHA-256: c27ac3cbb826d2e5a330092303f186c41178a263079668237c3510b4997b45c0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/pify?keyword=reformas+borbonicas+economicas+en+america', likely leads to a malicious site. The document also exhibits characteristics of a PDF link farm, with numerous embedded links, many pointing to Shopify domains, suggesting an attempt to obscure the malicious destination or engage in SEO manipulation for traffic. No scripts were extracted, but the presence of a malicious redirector is sufficient to classify this as a malicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=reformas+borbonicas+economicas+en+america
    • http://files.chrystinejones.com/uploads/1/3/1/8/131856034/1790453.pdf
    • http://files.houstonhighschoolptso.com/uploads/1/3/1/8/131871637/19c77fe.pdf
    • https://cdn.shopify.com/s/files/1/0439/4716/3806/files/456705717.pdf
    • https://cdn.shopify.com/s/files/1/0434/3074/0135/files/60867649555.pdf
    • https://cdn.shopify.com/s/files/1/0440/4533/6741/files/javascript_code_cheat_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0441/0825/1288/files/rikarogenutebinuf.pdf
    • https://cdn.shopify.com/s/files/1/0431/9353/2573/files/73170476058.pdf
    • https://cdn.shopify.com/s/files/1/0429/3410/8323/files/balu_telugu_movie_songs_free.pdf
    • https://cdn.shopify.com/s/files/1/0435/1324/9944/files/temario_auxiliar_administrativo_cabildo_de_tenerife_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0427/8799/5807/files/21159705467.pdf
    • https://cdn.shopify.com/s/files/1/0432/2312/2084/files/limodifinu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0507/4838/files/10697494699.pdf
    • https://cdn.shopify.com/s/files/1/0432/6942/3269/files/57332497741.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007abf.bin
ed6acfa0a5cbfb6cffa76ad4d7a915d5954edb522a9722718908e2d30a46b042		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ABF 5140 bytes
font_01_sfnt_off00008c2d.bin
d90c71d5660ebe1acbcce28e1dd7499e441dfb4e3d85bb71f35f0d1d269cf5e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C2D 11184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.