Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb418b11591bb39d…

MALICIOUS

PDF

115.2 KB Created: 2020-08-01 20:17:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a603561d8be7c68d9ba581b0d0e303d SHA-1: a1be27c9b2758e5acb7f17d2c1a609875edfe0b4 SHA-256: eb418b11591bb39d50082b955827c7523b0bf26e72a096e763c7547e391a2b53
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, containing a large number of external links, many hosted on Shopify. One embedded URL, https://ttraff.ru/pify?keyword=anime+town+background, is identified as a malicious redirector. The ML classifier also flagged this PDF with high confidence. The document body appears to be largely obfuscated or contains minimal readable content, but the presence of the malicious redirector URL is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=anime+town+background
    • http://files.blessingsfromabove.net/uploads/1/3/1/8/131856212/a437195da48a.pdf
    • http://files.amfccl.com/uploads/1/3/0/7/130775125/9030719.pdf
    • http://files.stefiecakesandtreats.com/uploads/1/3/1/3/131380042/takewewusemerepasub.pdf
    • https://cdn.shopify.com/s/files/1/0428/8777/4374/files/4782824205.pdf
    • https://cdn.shopify.com/s/files/1/0429/0124/2022/files/vemasirewakeliketupo.pdf
    • https://cdn.shopify.com/s/files/1/0430/6377/1293/files/melagomunive.pdf
    • https://cdn.shopify.com/s/files/1/0428/4959/9644/files/57494122703.pdf
    • https://cdn.shopify.com/s/files/1/0428/9822/7353/files/fefurivakemoza.pdf
    • https://cdn.shopify.com/s/files/1/0431/7901/6360/files/pivolusawu.pdf
    • https://cdn.shopify.com/s/files/1/0429/6540/1753/files/77221448454.pdf
    • https://cdn.shopify.com/s/files/1/0435/3458/1911/files/23954723168.pdf
    • https://cdn.shopify.com/s/files/1/0430/9064/1047/files/movogoxudu.pdf
    • https://cdn.shopify.com/s/files/1/0439/9919/9390/files/xowamiwokok.pdf
    • https://cdn.shopify.com/s/files/1/0433/9679/2478/files/fekuxonojakogoduw.pdf
    • https://cdn.shopify.com/s/files/1/0437/8384/8097/files/17230426387.pdf
    • https://cdn.shopify.com/s/files/1/0438/6455/5675/files/mexaj.pdf
    • https://cdn.shopify.com/s/files/1/0431/6751/4788/files/22582261770.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xekugoxozeritazol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off000167b6.bin
71a6e3dc299c9d10d0b4eb8f0dab22c2e80b751ce5dc741878635fbd227e6b59		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x167B6 11916 bytes
font_00_sfnt_off0000d1e1.bin
c6acebe3750ab55c09714fa1b34f6c70ddae3ce202e1a088ffcbc34adab53285		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1E1 6588 bytes
font_01_sfnt_off0000e22b.bin
417e145ee527a114343e02cf2768e5bd510f9c0428f698bce80fd22d2de37322		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE22B 37024 bytes
font_02_sfnt_off00015610.bin
63aa9f634ab56b883cf0a187cef5b93a0c7cb3a7dfed55a53cea0fabb2917777		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15610 5216 bytes
font_04_sfnt_off000189c3.bin
9fc5c9eb169d312b876f0618e13143ad28519c30cfe01ba5f348f2f62cbd179d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x189C3 11144 bytes
font_05_sfnt_off0001afd3.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AFD3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.