Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6cbfe6bb584a338…

MALICIOUS

PDF

46.1 KB Created: 2020-08-24 03:48:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c14227a109139f7bf8434288cdd06285 SHA-1: 5654fde29cc3d748f0532564f4a6e6baadf455c4 SHA-256: d6cbfe6bb584a338dc5b173f72db19c2d8bdd61fb41f1c22cb8f12638278c115
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, many of which point to a redirector service. The primary malicious URL, 'https://ttraff.cc/pify?keyword=catia+v5r21+64+bit++free', is flagged as a malicious redirector. This suggests the document is designed to trick users into clicking through to malicious content, likely for phishing or malware distribution. No scripts were extracted, limiting the analysis of direct execution capabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=catia+v5r21+64+bit++free
    • http://files.samosetband.com/uploads/1/3/1/4/131407227/cfa635f66b7.pdf
    • http://files.actorbritthalaas.com/uploads/1/3/0/7/130739802/3d53d95991e8a46.pdf
    • http://files.saratogadandia.org/uploads/1/3/1/4/131453124/modewakukafigugi.pdf
    • http://files.bldrwindowtint.com/uploads/1/3/1/4/131437859/jemadu-wurajudosifav-bosowux-bizizebesixus.pdf
    • https://cdn.shopify.com/s/files/1/0431/9176/3105/files/pin_diode_download.pdf
    • https://cdn.shopify.com/s/files/1/0457/6690/1924/files/straight_line_depreciation_schedule_template.pdf
    • https://cdn.shopify.com/s/files/1/0428/2767/7852/files/31954553142.pdf
    • https://cdn.shopify.com/s/files/1/0430/2487/5674/files/adobe_indesign_cs5_user_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/ancelin_schtzenberger.pdf
    • https://cdn.shopify.com/s/files/1/0431/3081/4621/files/masuxerigotobavume.pdf
    • https://cdn.shopify.com/s/files/1/0429/6340/2905/files/ladewexepebuvedapa.pdf
    • https://cdn.shopify.com/s/files/1/0459/8684/0743/files/mekusugetazolurubomise.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067b4.bin
af165a90e9a14fda8ebdc70777bde901fa110b267b36aeab66587da3970b7eee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67B4 4080 bytes
font_01_sfnt_off00007615.bin
ef4e2b031233038690ef7d49e3c9036301fa6893da456824b90e6fb2b730f1d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7615 5204 bytes
font_02_sfnt_off000087f6.bin
5688c5b68cf4506dc4d06576616f51e0d5d77bdf6b8873f108454a3955691478		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87F6 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.