Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd8188d923c2576a…

MALICIOUS

PDF

43.8 KB Created: 2020-08-14 19:32:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1aef91aec035d7ef48d9c2f3db0c1f6 SHA-1: 9749c3c34d8c995eeec3f4f3afc4b02ab974e28b SHA-256: dd8188d923c2576a1da52306a320862336144f42f78e65db3dc556e5762b49f6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with a critical heuristic firing for a malicious redirector. The primary link, 'https://ttraff.com/pify?keyword=network+security+fundamentals+pdf', is designed to lure users with a seemingly relevant document title. The PDF also exhibits characteristics of a link farm, with numerous external links, many pointing to Shopify domains, likely for SEO manipulation or to obscure the malicious redirector. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=network+security+fundamentals+pdf
    • http://boketiw.retrayno.com/uploads/1/3/1/1/131163953/63a4a73d7424b9.pdf
    • http://vexuzuzak.academicbatgirl.com/uploads/1/3/0/7/130776394/fudapukexuxewal_fujilosufe_sugejetufusiv_vuxosomevori.pdf
    • http://files.sagesidley.com/uploads/1/3/1/3/131379223/465678.pdf
    • https://cdn.shopify.com/s/files/1/0427/5906/1670/files/236147369.pdf
    • https://cdn.shopify.com/s/files/1/0439/9408/7582/files/copepod_culture.pdf
    • https://cdn.shopify.com/s/files/1/0431/9058/3464/files/http_filesify._com_wr6jfm_password._txt.pdf
    • https://cdn.shopify.com/s/files/1/0436/0385/3476/files/54565175121.pdf
    • https://cdn.shopify.com/s/files/1/0430/8910/0951/files/20068877313.pdf
    • https://cdn.shopify.com/s/files/1/0437/7909/6728/files/farusatisekinobuwis.pdf
    • https://cdn.shopify.com/s/files/1/0434/2795/4853/files/84734224535.pdf
    • https://cdn.shopify.com/s/files/1/0427/8131/1132/files/3091093301.pdf
    • https://cdn.shopify.com/s/files/1/0433/6851/3695/files/vupelurapixirive.pdf
    • https://cdn.shopify.com/s/files/1/0429/8443/9971/files/64596711884.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ff6.bin
a9efd709cb52afe282d1153984fe599f197f1584a1820bac9f3d3b2c4911ac2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF6 5408 bytes
font_01_sfnt_off00007269.bin
db2f316f1b5b78f8773faf62ca702f30ce0023f5aa1ae4a93ba15b698a7eea60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7269 9784 bytes
font_02_sfnt_off000093d4.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93D4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.