Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0fdecac9f791b4f…

MALICIOUS

PDF

244.7 KB Created: 2020-07-28 06:03:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6683e871f18768937c26e64a4c5350c SHA-1: 89c9d7fbfac2174d5669f9818043f326ccb4a5e5 SHA-256: f0fdecac9f791b4f2be464a53fee392d2910be1c2615c535e8c3280986d48856
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=punjabi+anniversary+song+free'. The ML classifier also flagged this PDF with high confidence. The document body, though heavily obfuscated, contains text related to 'Punjabi anniversary song free', suggesting a lure. The primary attack vector appears to be directing the user to a malicious URL, likely for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=punjabi+anniversary+song+free
    • http://files.londonpokersocial.com/uploads/1/3/0/7/130776049/riwukop_baxavizuzod_xogorotadevedoz_gurutasoziri.pdf
    • http://files.light-sup.com/uploads/1/3/2/6/132681002/lolonegesositub.pdf
    • http://files.wowtasmania.com.au/uploads/1/3/2/7/132740693/todalalanete_ziradaw.pdf
    • http://files.throughmonstrouseyes.com/uploads/1/3/1/4/131437299/zologe-jowoxunow.pdf
    • http://files.faithcomethbyhearing.net/uploads/1/3/1/4/131483317/8963314.pdf
    • https://cdn.shopify.com/s/files/1/0431/7023/4527/files/52905050213.pdf
    • https://cdn.shopify.com/s/files/1/0437/0500/8282/files/fumosed.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/646255477.pdf
    • https://cdn.shopify.com/s/files/1/0437/7018/3831/files/20130784807.pdf
    • https://cdn.shopify.com/s/files/1/0432/7243/7910/files/30153916296.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vinufew.pdf
    • https://cdn.shopify.com/s/files/1/0433/3328/8088/files/6155637682.pdf
    • https://cdn.shopify.com/s/files/1/0439/0912/0152/files/91692502413.pdf
    • https://cdn.shopify.com/s/files/1/0435/4772/1892/files/rikepuzojiburufinub.pdf
    • https://cdn.shopify.com/s/files/1/0429/9938/2170/files/80523968659.pdf
    • https://cdn.shopify.com/s/files/1/0440/5365/9798/files/23823320781.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000387d3.bin
10f219a13541d952d8e4b419bda97a2c66e5f29e09af012391ff7e8a0d5e0887		 pdf-font-stream PDF embedded font (sfnt) at offset 0x387D3 5084 bytes
font_01_sfnt_off00039936.bin
9dcef6d9ce50ac40af1e6773d1746cf1b8357283285ebc386ca9ce21ab0f5072		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39936 13932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.