Malicious PDF — malware analysis report

Static analysis result for SHA-256 d092e1bd1013a5f7…

MALICIOUS

PDF

41.5 KB Created: 2020-08-27 20:15:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3ff602bc3e52d32ebbf73e951816bd1 SHA-1: 0f5490f6ed5336898bfbc6dc500090852fe54f47 SHA-256: d092e1bd1013a5f7bf7388910745fc9f28b3221aa8e53826add7e62546da6714
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, many pointing to Shopify domains, designed to appear as legitimate book downloads. The primary malicious link, https://ttraff.cc/pify?keyword=understandable+statistics+11th+edition, redirects to malicious infrastructure. The ML classifier strongly indicated maliciousness, and the PDF structure suggests a link farm for SEO poisoning or traffic redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=understandable+statistics+11th+edition
    • http://files.professionalpolishingtouch.com/uploads/1/3/1/1/131164002/soroj.pdf
    • http://lofejiru.bantrybayponytrekking.com/uploads/1/3/1/4/131438860/wixun-kazetav-juvavenokulak-legudutidomez.pdf
    • http://files.mercychurchkc.com/uploads/1/3/1/4/131438835/176029e.pdf
    • https://cdn.shopify.com/s/files/1/0433/0101/1614/files/69321366579.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xidab.pdf
    • https://cdn.shopify.com/s/files/1/0430/4365/1735/files/28595013392.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nemubowakupupoda.pdf
    • https://cdn.shopify.com/s/files/1/0437/5265/2951/files/65397592759.pdf
    • https://cdn.shopify.com/s/files/1/0430/7949/9940/files/77550482444.pdf
    • https://cdn.shopify.com/s/files/1/0438/2287/4781/files/cyber_security_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0437/3299/2161/files/audit_report_of_infosys_2015-_16.pdf
    • https://cdn.shopify.com/s/files/1/0431/0673/0138/files/rovakoxik.pdf
    • https://cdn.shopify.com/s/files/1/0431/3785/9735/files/accounting_golden_rules_with_examples.pdf
    • https://cdn.shopify.com/s/files/1/0434/0957/1990/files/23392602488.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005734.bin
f9b8493159b5213a2b00a88c30c495e8eba1e8376999084877a043fb8f2e6790		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5734 4996 bytes
font_01_sfnt_off00006819.bin
83ab86bec0c8c9bf0db01b44c9478e8c26d9f1ef0baf6a1746bdf8f823e96c75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6819 10312 bytes
font_02_sfnt_off00008b30.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B30 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.