Malicious PDF — malware analysis report

Static analysis result for SHA-256 f352186d2c536aa3…

MALICIOUS

PDF

40.0 KB Created: 2020-08-23 21:14:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 050bfaf31266b5683f122e8ab88dae34 SHA-1: 45de1a5ea94436a4e40e819e319fb7e41f884aee SHA-256: f352186d2c536aa33a5b6aafde33077fcaf9e2f94b50253c005138ccd9d9603b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one pointing to a known malicious redirector. The heuristic PDF_SEO_LINK_FARM indicates a link farm strategy, likely to obscure the true malicious destination. The ML classifier also strongly flagged this PDF as malicious. The document body appears to be malformed or obfuscated, but the presence of the URL 'https://ttraff.com/pify?keyword=fishbone+analysis+template+powerpoint' suggests a lure related to analysis templates.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=fishbone+analysis+template+powerpoint
    • http://nonivala.accuratehomeinspections.ca/uploads/1/3/0/9/130969140/2773565.pdf
    • http://files.ck1design.com/uploads/1/3/2/6/132696233/sopijuv-posusufuwet-xipinutufo-newiw.pdf
    • https://cdn.shopify.com/s/files/1/0433/9433/4870/files/dimup.pdf
    • https://cdn.shopify.com/s/files/1/0435/1416/7450/files/k_michelle_net_worth.pdf
    • https://cdn.shopify.com/s/files/1/0434/0462/4021/files/arthritis_research_uk_ankle_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0428/2250/0518/files/jupaf.pdf
    • https://cdn.shopify.com/s/files/1/0462/8440/6944/files/nutofaxekobax.pdf
    • https://cdn.shopify.com/s/files/1/0437/7352/6178/files/71365591956.pdf
    • https://cdn.shopify.com/s/files/1/0437/8882/8829/files/98289000928.pdf
    • https://cdn.shopify.com/s/files/1/0450/4561/2694/files/39122278753.pdf
    • https://cdn.shopify.com/s/files/1/0444/0326/1606/files/tepasukanitedurakulol.pdf
    • https://cdn.shopify.com/s/files/1/0434/6806/2872/files/ravumodufeberinibu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e4f.bin
2116baa4436522e827f70b0bcaaf84ac1c41721ae8602166dd2344b1108b0a36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E4F 5348 bytes
font_01_sfnt_off0000705d.bin
90a5df4b85fe47ff56f7b0b03d1a6dad003a6330f04e65ed56c04ef2a8d6a9e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x705D 10312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.