Malicious PDF — malware analysis report

Static analysis result for SHA-256 e83b2d4ddae19277…

MALICIOUS

PDF

42.4 KB Created: 2020-08-19 19:10:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a95ac2702fc8f785f7f91324ef260f9b SHA-1: 9267b6c5577a2552152988e5e4aafbd2fae88cce SHA-256: e83b2d4ddae192778579cea04a1031952e9dde5b678520ddf6e0088ec2bbef0f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to domains hosting PDF files, suggesting a link farm or SEO poisoning tactic. One prominent link, 'https://ttraff.cc/pify?keyword=best+free+tv+apps+for+android+uk', redirects to malicious infrastructure. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the PDF structure and embedded links are indicative of a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=best+free+tv+apps+for+android+uk
    • http://files.afterglow-tan.com/uploads/1/3/1/4/131438180/aa23da0ba9.pdf
    • http://files.jadelcustomgloves.com/uploads/1/3/2/6/132695586/zavopusoxakarepuf.pdf
    • http://files.antiochwaukegan.org/uploads/1/3/1/4/131453024/nufexizedizat-merox-kotom-vuvovowugamu.pdf
    • http://files.dpwoodspublishing.com/uploads/1/3/1/8/131871852/3576591.pdf
    • http://files.wlcbands.com/uploads/1/3/1/6/131607712/2769e0d94.pdf
    • https://cdn.shopify.com/s/files/1/0439/9264/5790/files/vezatulejagimipuwezi.pdf
    • https://cdn.shopify.com/s/files/1/0433/7804/9189/files/3051773960.pdf
    • https://cdn.shopify.com/s/files/1/0429/9050/2051/files/45668670446.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65022979336.pdf
    • https://cdn.shopify.com/s/files/1/0439/5863/2606/files/agreement_on_agriculture_wto.pdf
    • https://cdn.shopify.com/s/files/1/0432/4042/3592/files/transformers_revenge_of_the_fallen_online_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/5893/8531/files/comment_arrter_de_boire_de_l_alcool.pdf
    • https://cdn.shopify.com/s/files/1/0438/2064/6562/files/spiderman_coloring_pages.pdf
    • https://cdn.shopify.com/s/files/1/0428/5769/3347/files/kututezugukajelepu.pdf
    • https://cdn.shopify.com/s/files/1/0429/4931/2666/files/sowowupoxuluzufob.pdf
    • https://cdn.shopify.com/s/files/1/0437/1585/4490/files/kuzaf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067c7.bin
bf86449fe1c89ebdd06b7b77092606ec4a68cb137bd378f912699602aeab98bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67C7 5176 bytes
font_01_sfnt_off0000797d.bin
d8460209434503bff5790bd13f5574934593d8620c744e9600cfd51cf20051b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x797D 10312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.