Malicious PDF — malware analysis report

Static analysis result for SHA-256 f85c4a117a0b9322…

MALICIOUS

PDF

50.4 KB Created: 2020-08-14 20:40:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b721943b2e5f5dd52e1bcaa6c3c6fa3 SHA-1: 633ee498c33294efc64db46cbf6ecc5996681a2b SHA-256: f85c4a117a0b932250e5d79e094adb8b658addc4e33b6b760e62cef8159220e6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with one heuristic specifically identifying it as a 'PDF SEO Link Farm'. The primary malicious URL, 'https://ttraff.cc/pify?keyword=sample+of+accomplishment+report+format+for+teachers', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to lure users into clicking malicious links disguised as legitimate content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=sample+of+accomplishment+report+format+for+teachers
    • http://files.colorreadings.com/uploads/1/3/1/3/131379040/vezowavosepaluraf.pdf
    • http://files.spiceandvinemerc.com/uploads/1/3/0/7/130775309/1341929.pdf
    • http://files.jenzgemzshop.com/uploads/1/3/0/8/130813489/de106.pdf
    • http://tivepo.bohemianbluphotography.com/uploads/1/3/1/4/131437812/wuxobax.pdf
    • https://cdn.shopify.com/s/files/1/0439/6787/3182/files/sega_emulator_android.pdf
    • https://cdn.shopify.com/s/files/1/0430/6537/6919/files/bums_in_the_attic.pdf
    • https://cdn.shopify.com/s/files/1/0429/2247/5687/files/zimbabwe_national_anthem_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0434/3015/0300/files/fatonoz.pdf
    • https://cdn.shopify.com/s/files/1/0434/2336/7335/files/samalatave.pdf
    • https://cdn.shopify.com/s/files/1/0434/9027/9574/files/bagakazasilekasifudu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3333/7768/files/winesisizowuxeladaj.pdf
    • https://cdn.shopify.com/s/files/1/0435/8583/1070/files/3683167294.pdf
    • https://cdn.shopify.com/s/files/1/0439/0617/1048/files/laxisosa.pdf
    • https://cdn.shopify.com/s/files/1/0439/1682/0635/files/21313956170.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c16.bin
b7f317aa0f29cd34df008dc84d8f376d2685882a57a4a5cd0d86477d0adf885a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C16 2828 bytes
font_01_sfnt_off00008611.bin
a83673ba499faa9bd74fdeac0df888b6b8fb05db15137f5d39d3b26847fb2fbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8611 5356 bytes
font_02_sfnt_off0000981f.bin
6fda817f038fa3d28ca66c5dfd1b8b9947853e11267905f02fd229b2249fa6cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x981F 9916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.