Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7c0cba1573bf1e2…

MALICIOUS

PDF

53.9 KB Created: 2020-08-19 13:16:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c2e769d2450b84c6e15e8aa22a64f3cd SHA-1: 7324177250d356e59d5455714a2cee880d0cb317 SHA-256: e7c0cba1573bf1e2c27b800bbcd9f664c3e7e08813aa89a28e46375c5fc61542
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as legitimate PDF downloads, but one of the primary links, 'https://ttraff.ru/pify?keyword=amplitude+modulation+problems+with+solutions+pdf', is a known malicious redirector. The document body, though heavily obfuscated, contains this URL and other URLs pointing to potentially malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is designed to redirect users to harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=amplitude+modulation+problems+with+solutions+pdf
    • http://sejikiseg.ailightup.com/uploads/1/3/0/7/130775062/8109004.pdf
    • http://vaseb.affordablestoragebrownfield.com/uploads/1/3/1/8/131857152/bares.pdf
    • http://files.awdarcy.com/uploads/1/3/2/3/132303374/natelukuwo.pdf
    • http://xotosapit.greenscrub.ca/uploads/1/3/0/8/130814575/nupalilolikituj.pdf
    • http://files.gerigventer.com/uploads/1/3/1/3/131383727/giwabefegolabo-jitiribivilube-zexetufubase-revidof.pdf
    • https://cdn.shopify.com/s/files/1/0431/7783/6702/files/pujurarodipigu.pdf
    • https://cdn.shopify.com/s/files/1/0434/5197/3799/files/chemistry_diagnostic_test.pdf
    • https://cdn.shopify.com/s/files/1/0427/9474/6023/files/slip_fit_tolerance.pdf
    • https://cdn.shopify.com/s/files/1/0433/3391/0681/files/genetic_code_table.pdf
    • https://cdn.shopify.com/s/files/1/0433/5271/9515/files/66133844370.pdf
    • https://cdn.shopify.com/s/files/1/0438/5102/2501/files/83439967120.pdf
    • https://cdn.shopify.com/s/files/1/0440/7744/9366/files/business_english_teaching_materials.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0241/files/encyclopaedia_of_islam_2nd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0432/2312/2084/files/16181306097.pdf
    • https://cdn.shopify.com/s/files/1/0437/7129/7943/files/go_formative_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0432/4373/3154/files/total_gym_xls_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/7623/0047/files/law_on_obligations_and_contracts_philippines.pdf
    • https://cdn.shopify.com/s/files/1/0431/7410/1149/files/perolusobolunepaga.pdf
    • https://cdn.shopify.com/s/files/1/0430/4489/6925/files/lalerezesonolav.pdf
    • https://cdn.shopify.com/s/files/1/0434/3506/5510/files/45399040747.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0434/3506/5510/fi

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000749c.bin
c52a90f50dc23ba4ae2be4743e32b2980638fbc57a4c5c187137c0aa5f48bef6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x749C 5500 bytes
font_01_sfnt_off00008720.bin
d915b4c88dfdf60cdb32956bab26f2e5031be282031ae5e7e96d84eb7a97fb75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8720 1596 bytes
font_02_sfnt_off00008f38.bin
907a5aba2ac97e2ddf061303f2dd6c214fce58d03a08847e57a23678a4840e1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F38 10432 bytes
font_03_sfnt_off0000b2d2.bin
fe1568915ba65f8d62f5411c7d58e87ce4f485024a12b7a880e60feb01691c0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB2D2 16400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.