Malicious PDF — malware analysis report

Static analysis result for SHA-256 f48f151344cfd1ec…

MALICIOUS

PDF

44.8 KB Created: 2020-08-15 20:41:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4dac2fb0c59c4a068866fff83c11ed7 SHA-1: 21f136ea98e4a15b88acba74d17d76f9b9eb8469 SHA-256: f48f151344cfd1ec3b61da7baf68f7ae7227be14c2862e48f9e3fba2f566c502
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a high number of embedded links, many pointing to external resources, which is indicative of a link farm or redirection strategy. The primary malicious URL, https://ttraff.ru/pify?keyword=creative+cloud+app++not+working, is flagged as a malicious redirector. The document body, though partially corrupted, contains text related to 'Creative cloud app not working', suggesting a social engineering lure to trick users into clicking the malicious link. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=creative+cloud+app++not+working
    • http://files.causewaysecuritysolutions.com/uploads/1/3/1/3/131398366/2816604.pdf
    • http://files.everythingalcoholink.com/uploads/1/3/1/1/131164043/zisizugif_zadojufav.pdf
    • https://cdn.shopify.com/s/files/1/0430/4440/5397/files/marketing_mix_meaning.pdf
    • https://cdn.shopify.com/s/files/1/0431/6859/6117/files/54615458179.pdf
    • https://cdn.shopify.com/s/files/1/0433/5930/5880/files/97164309888.pdf
    • https://cdn.shopify.com/s/files/1/0439/5512/6430/files/portugus_xxi_2.pdf
    • https://cdn.shopify.com/s/files/1/0429/0582/9532/files/55161226216.pdf
    • https://cdn.shopify.com/s/files/1/0434/1917/3029/files/nusanajaxajoxazupa.pdf
    • https://cdn.shopify.com/s/files/1/0433/9489/1943/files/87588398241.pdf
    • https://cdn.shopify.com/s/files/1/0436/0755/6258/files/chung_kai_lai_a_course_in_probability_theory.pdf
    • https://cdn.shopify.com/s/files/1/0430/5528/4378/files/tovutimifurikes.pdf
    • https://cdn.shopify.com/s/files/1/0431/2255/7082/files/belmont_report_1978.pdf
    • https://cdn.shopify.com/s/files/1/0435/1338/1028/files/rekekugogud.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0433/9489/1943/f

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007266.bin
4487ca82e0656fd933efd8280b796d4834c83afbf9c8b9701df32aac53f3560e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7266 5184 bytes
font_01_sfnt_off0000842e.bin
8706dcaa35ff7c98db48278c92132c29d8fe738cf5add1b565620c9a99561d1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x842E 10044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.