Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2b352857c64d313…

MALICIOUS

PDF

40.0 KB Created: 2020-07-31 19:03:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c18c53eb154e4693ae21d48fb4565281 SHA-1: e6cf73c4b24d64f0abd544c5a71c7f76af994d52 SHA-256: f2b352857c64d313f697d548b0a0230c7fd922ea088ab156cee24cdf40f27b90
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with a critical heuristic firing indicating a link to known malicious redirector infrastructure. The primary malicious URL identified is 'https://ttraff.ru/pify?keyword=ct+license+plate+lookup'. The document body, though heavily obfuscated, also contains this URL, suggesting it is the intended destination. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy, likely to obscure the ultimate malicious destination or for SEO manipulation. No scripts were extracted, and the PDF structure itself does not reveal further malicious intent beyond the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ct+license+plate+lookup
    • http://files.barneyhourihane.com/uploads/1/3/0/7/130776069/453215c4fc.pdf
    • http://files.elegantmind.org/uploads/1/3/1/1/131164476/pitukazupakuf-vabevat-zumiriwef.pdf
    • http://files.ipsproptech.com/uploads/1/3/1/1/131164424/ditalalamudo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6001/0912/files/13697861485.pdf
    • https://cdn.shopify.com/s/files/1/0432/5025/3992/files/82820354883.pdf
    • https://cdn.shopify.com/s/files/1/0433/2378/5370/files/60991745568.pdf
    • https://cdn.shopify.com/s/files/1/0430/0737/7561/files/19122132685.pdf
    • https://cdn.shopify.com/s/files/1/0437/0294/3909/files/22122041602.pdf
    • https://cdn.shopify.com/s/files/1/0437/6775/8999/files/29644002533.pdf
    • https://cdn.shopify.com/s/files/1/0428/7974/6201/files/witawipixaralalewapikufew.pdf
    • https://cdn.shopify.com/s/files/1/0433/6176/3480/files/40615173035.pdf
    • https://cdn.shopify.com/s/files/1/0429/9476/1877/files/72012713671.pdf
    • https://cdn.shopify.com/s/files/1/0431/4293/8784/files/xewunikesozow.pdf
    • https://cdn.shopify.com/s/files/1/0432/4953/3088/files/18315829848.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000619b.bin
e3a19557f4f833423cdf2a7c135a020e7764095e2831885f5d92870a27012062		 pdf-font-stream PDF embedded font (sfnt) at offset 0x619B 4800 bytes
font_01_sfnt_off000071fe.bin
5182673dcfb3e77cb7422dbde5479b8eabc5ded0ab1087feb89248ffc07c5f30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71FE 9812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.