Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5503e6e5184ee41…

MALICIOUS

PDF

280.4 KB Created: 2020-08-14 11:14:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a5370e229abda6a2bb11b06c14596f8 SHA-1: 82c05cac848ef9df64717ea77fc3d67c08abac75 SHA-256: f5503e6e5184ee41730f18d7971e93af499f8c1524c703e6fbfd59203b96ad92
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.cc/pify?keyword=format+of+absorption+costing+income+statement`. This URL is the primary indicator of malicious intent, likely serving as a lure to a phishing or malware distribution site. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine the exact lure beyond the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=format+of+absorption+costing+income+statement
    • http://kepozamug.supervisedvisitations.net/uploads/1/3/2/8/132814930/22b23f548.pdf
    • http://files.jozibestwomensclinic.com/uploads/1/3/1/8/131871586/d420d8e.pdf
    • http://files.princetonuniversityband.com/uploads/1/3/1/4/131455636/09a61e7702867.pdf
    • http://files.jacksonartwear.com/uploads/1/3/1/3/131381374/a5a868920284c.pdf
    • https://cdn.shopify.com/s/files/1/0427/8029/5334/files/26350821058.pdf
    • https://cdn.shopify.com/s/files/1/0438/8611/7019/files/riketotadideporetek.pdf
    • https://cdn.shopify.com/s/files/1/0429/9417/2058/files/letajejiliniwugur.pdf
    • https://cdn.shopify.com/s/files/1/0432/8561/0654/files/isometric_dot_sheet_a4_size.pdf
    • https://cdn.shopify.com/s/files/1/0438/5275/9200/files/83290538764.pdf
    • https://cdn.shopify.com/s/files/1/0435/9867/6131/files/50945091239.pdf
    • https://cdn.shopify.com/s/files/1/0434/1720/6946/files/39271720572.pdf
    • https://cdn.shopify.com/s/files/1/0431/2943/8370/files/67440206273.pdf
    • https://cdn.shopify.com/s/files/1/0429/8607/8369/files/bejodipexapawagoj.pdf
    • https://cdn.shopify.com/s/files/1/0434/9778/3458/files/jurixidexijepev.pdf
    • https://cdn.shopify.com/s/files/1/0436/0765/4563/files/speak_now_1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000402f6.bin
51f98b57c171d3b26a6e4daf536c1ecc9a6cebbf606db17031256920c01d3a07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x402F6 5184 bytes
font_01_sfnt_off00041474.bin
4ba0935d0d9cf9126d18935ef99937507a567024dd397eb6a7cf96908969917c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41474 15512 bytes
font_02_sfnt_off000444a5.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x444A5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.