Malicious PDF — malware analysis report

Static analysis result for SHA-256 f39af6820ec1ab21…

MALICIOUS

PDF

37.7 KB Created: 2020-08-07 07:14:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb9867ecc9c6319809742c214e7c3433 SHA-1: e68943cadafca7525d773f7a69c17be8f74cd642 SHA-256: f39af6820ec1ab2118ee6a95adf1f1ac921b4377db201f548717bf50bcea7e03
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=weekly+academic+calendar+pdf', which is likely intended to trick the user into downloading a malicious payload. The presence of a large number of external PDF links also suggests a link farm or SEO poisoning attempt to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=weekly+academic+calendar+pdf
    • http://files.dibbacityguide.com/uploads/1/3/1/6/131606284/234107.pdf
    • http://files.glamorousreputation.com/uploads/1/3/2/3/132303269/6c1654da.pdf
    • http://files.lorettolink.org/uploads/1/3/1/4/131409794/lisedeza-futakebomevan.pdf
    • http://wopupobur.kamalmus.com/uploads/1/3/2/6/132681670/banolezijosasib.pdf
    • https://cdn.shopify.com/s/files/1/0449/5425/5515/files/icp_discography_download.pdf
    • https://cdn.shopify.com/s/files/1/0427/9291/1007/files/disogelabexumuzexo.pdf
    • https://cdn.shopify.com/s/files/1/0437/9174/5175/files/sejarah_agama_buddha.pdf
    • https://cdn.shopify.com/s/files/1/0430/4620/7650/files/voxedaxatewepimimumi.pdf
    • https://cdn.shopify.com/s/files/1/0432/7132/3808/files/gatizuzepafodobewuru.pdf
    • https://cdn.shopify.com/s/files/1/0433/4052/9816/files/risasutegusonizoniroba.pdf
    • https://cdn.shopify.com/s/files/1/0429/1353/0019/files/94533458242.pdf
    • https://cdn.shopify.com/s/files/1/0430/3713/0914/files/download_google_drive_folder_as.pdf
    • https://cdn.shopify.com/s/files/1/0433/8617/5651/files/rsmssb_lab_assistant_answer_key_2020.pdf
    • https://cdn.shopify.com/s/files/1/0434/6894/7616/files/67930997565.pdf
    • https://cdn.shopify.com/s/files/1/0432/5661/0971/files/44641475250.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054ae.bin
0a180d8d805cb957019e61aacbf56a0b8117c0bf82133e750c2daa318083891a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54AE 5304 bytes
font_01_sfnt_off000066bd.bin
60f8f6f66817c5972f7356e2d99a271f920a403ddfc22623157516690351bf32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66BD 10368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.