Malicious PDF — malware analysis report

Static analysis result for SHA-256 dfa6b7c615d29764…

MALICIOUS

PDF

42.2 KB Created: 2020-08-04 07:45:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae9391e44f1aabdd7ebbd8ad57e8dbe3 SHA-1: 80762c135e5061bc74df4667197a8bf0efa2b6d5 SHA-256: dfa6b7c615d2976471b1b7d52f2fef34ee4af09720f442e8fdcdfe23ce02f106
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=ceftriaxona+dosis+perros+pdf', which is flagged as malicious. This suggests the PDF is designed to trick users into visiting a malicious site, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ceftriaxona+dosis+perros+pdf
    • http://files.goldstripecoffee.com/uploads/1/3/1/4/131483361/vebek.pdf
    • http://files.deviniska.com/uploads/1/3/1/4/131438353/45823dea287203f.pdf
    • http://files.sustainme.co.za/uploads/1/3/1/4/131453252/legesigimujopimuti.pdf
    • http://files.sustainme.co.za/upl
    • https://cdn.shopify.com/s/files/1/0435/9749/6483/files/vixem.pdf
    • https://cdn.shopify.com/s/files/1/0433/9390/8887/files/ghost_in_the_shell._torrent.pdf
    • https://cdn.shopify.com/s/files/1/0428/7892/7014/files/webofifarubilujopuboked.pdf
    • https://cdn.shopify.com/s/files/1/0430/5590/6970/files/ncaa_14_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/4593/6534/files/non_spatial_data_in_gis.pdf
    • https://cdn.shopify.com/s/files/1/0430/5692/2777/files/8044879654.pdf
    • https://cdn.shopify.com/s/files/1/0428/8099/1388/files/gipidobadilosadaxavew.pdf
    • https://cdn.shopify.com/s/files/1/0434/4948/3420/files/we_are_your_friends_imdb.pdf
    • https://cdn.shopify.com/s/files/1/0435/6807/0824/files/3120936639.pdf
    • https://cdn.shopify.com/s/files/1/0434/2844/6358/files/96235842363.pdf
    • https://cdn.shopify.com/s/files/1/0434/6671/9385/files/pearson_custom_business_resources.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065ac.bin
9b983aa4ea5aa33e1e06978c06f8603c749a4ae00bed1a5c95ba2dc68a05903d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65AC 4976 bytes
font_01_sfnt_off000076aa.bin
47a2cf0edf4184a4dac74aa3db9ae2a652f165b765e326c32c57231eddd5e80f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76AA 11064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.