Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca660fb4ebc13c52…

MALICIOUS

PDF

49.8 KB Created: 2020-08-09 00:48:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5d6049a1b1dadedc118ab0c1aed5402 SHA-1: b174bdc357983329bbae075deb78c5c49e143654 SHA-256: ca660fb4ebc13c52c3e06d04355477a2c0f57e7b69434d329e432bcf7fb18793
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with a critical heuristic firing for a malicious redirector at 'https://ttraff.ru/pify?keyword=pancreas+anatomia+fisiologia+pdf'. Another critical heuristic indicates a PDF link farm, suggesting an attempt to generate traffic or distribute content through numerous external links. The ML classifier strongly supports the malicious nature of this PDF. The document body, though heavily obfuscated, contains the same URL as the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=pancreas+anatomia+fisiologia+pdf
    • http://files.sneakernebula.com/uploads/1/3/2/3/132303351/navixopesudat.pdf
    • http://files.pitlochrycc.co.uk/uploads/1/3/0/8/130874058/tesawe.pdf
    • http://files.tiesthatbindstore.com/uploads/1/3/2/6/132695620/821df10a19baea7.pdf
    • https://cdn.shopify.com/s/files/1/0434/8785/4749/files/rirovojotigeri.pdf
    • https://cdn.shopify.com/s/files/1/0431/2724/2903/files/9541477201.pdf
    • https://cdn.shopify.com/s/files/1/0435/5362/0136/files/fajanexawaxojosiwinegi.pdf
    • https://cdn.shopify.com/s/files/1/0435/8746/9469/files/toxoplasma_cerebri_adalah.pdf
    • https://cdn.shopify.com/s/files/1/0437/4141/3527/files/49972488404.pdf
    • https://cdn.shopify.com/s/files/1/0431/6617/1293/files/33027551776.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vololo.pdf
    • https://cdn.shopify.com/s/files/1/0435/2134/3647/files/wowakuwog.pdf
    • https://cdn.shopify.com/s/files/1/0427/8022/9791/files/23527590484.pdf
    • https://cdn.shopify.com/s/files/1/0428/0070/9791/files/xvideos_downloader_firefox_extension.pdf
    • https://cdn.shopify.com/s/files/1/0437/6644/8277/files/jipukidawitimomejamedemo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000767f.bin
22b674f90e11eadee4696a800ee1f47130093c0328f6f9023581d5472f419eaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x767F 5476 bytes
font_01_sfnt_off00008908.bin
c8598fadcc17713988ddd2c8278c64ab1e05e33f002de34e3a5ace07a13734cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8908 17172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.