Malicious PDF — malware analysis report

Static analysis result for SHA-256 e307441fea52ec16…

MALICIOUS

PDF

52.3 KB Created: 2020-08-06 22:13:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b52d08deac9304bd9f6e6254e781f34d SHA-1: 0264c0dd7c3b6e777179654b5e248fef18761905 SHA-256: e307441fea52ec161012fd527a3c5f8078696c1d4830a422ab856c1155b1d8d7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify-hosted PDFs, which is indicative of a link farm. One of these links, https://ttraff.ru/pify?keyword=askep+bblr+nic+noc+pdf, is identified as a malicious redirector. The ML classifier also strongly flagged this PDF as malicious. The document body is heavily obfuscated and contains the malicious redirector URL, suggesting the primary purpose is to redirect users to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=askep+bblr+nic+noc+pdf
    • http://files.snowypeaksoap.com/uploads/1/3/0/7/130739315/jekeseboxopa.pdf
    • http://files.michaelmccarthyart.com/uploads/1/3/1/4/131406222/0720a1775e0d7.pdf
    • http://files.osisiboutique.com/uploads/1/3/0/7/130775965/bf4c66def9e.pdf
    • http://files.coloradocrimevictims.org/uploads/1/3/1/0/131070230/fonivadivum_begaxenope.pdf
    • https://cdn.shopify.com/s/files/1/0433/3728/5797/files/xelurupajimarituvotojo.pdf
    • https://cdn.shopify.com/s/files/1/0431/1888/7068/files/help_action_5e.pdf
    • https://cdn.shopify.com/s/files/1/0427/7259/4844/files/blood_and_thunder_book.pdf
    • https://cdn.shopify.com/s/files/1/0433/7709/8902/files/webuvirugoxojo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9521/2697/files/dexiwaxoxilaxeze.pdf
    • https://cdn.shopify.com/s/files/1/0437/1460/9305/files/80556445713.pdf
    • https://cdn.shopify.com/s/files/1/0431/4077/6093/files/muwosuwuv.pdf
    • https://cdn.shopify.com/s/files/1/0438/3178/7670/files/36672694750.pdf
    • https://cdn.shopify.com/s/files/1/0438/1078/3394/files/bevisisetiva.pdf
    • https://cdn.shopify.com/s/files/1/0429/8643/8807/files/71127550752.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rofan.pdf
    • https://cdn.shopify.com/s/files/1/0432/2535/0301/files/mujisopi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008faa.bin
2ce9989a0a8d0abb59a582099d9576e55282eb8d4e96bc5f6eba523560a66d2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FAA 5132 bytes
font_01_sfnt_off0000a131.bin
6c056ceeb6879563027685078976b7e46db3bc73c58ca63fd75946ae5457a18b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA131 10208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.