Malicious PDF — malware analysis report

Static analysis result for SHA-256 faa87c0fee7b1bab…

MALICIOUS

PDF

46.3 KB Created: 2020-08-02 00:09:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02b36f57043d2137961bc5da5b330d8b SHA-1: a32de852766c7b428d7764396152da96e55a5512 SHA-256: faa87c0fee7b1babb5d2b565760366824428e1c3ab2025819e359234a4b7754f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external PDF links, suggesting an SEO spam or link farm attack. One of the embedded URLs, https://ttraff.ru/pify?keyword=nginx+apache2+wordpress, is identified as a known malicious redirector. The document body contains garbled text but also includes the same URLs, reinforcing the link-based attack vector. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=nginx+apache2+wordpress
    • http://files.barriointellect.com/uploads/1/3/2/7/132740321/104c7d.pdf
    • http://files.cromephotography.com/uploads/1/3/0/8/130874252/9466040.pdf
    • http://files.coastalfamilyderm.com/uploads/1/3/0/7/130776182/kadokekusa.pdf
    • http://files.hail-vegan.com/uploads/1/3/0/7/130775825/silukevato.pdf
    • https://cdn.shopify.com/s/files/1/0430/3290/3833/files/nezilavapuzofonivudo.pdf
    • https://cdn.shopify.com/s/files/1/0439/2576/6312/files/zenodaputomezubogazu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/65069223210.pdf
    • https://cdn.shopify.com/s/files/1/0427/7967/2735/files/xenakudebelu.pdf
    • https://cdn.shopify.com/s/files/1/0434/2985/5393/files/mifiladikun.pdf
    • https://cdn.shopify.com/s/files/1/0432/8944/4510/files/66628318650.pdf
    • https://cdn.shopify.com/s/files/1/0434/4266/7676/files/ragoguvinetuzubipeti.pdf
    • https://cdn.shopify.com/s/files/1/0435/5325/9679/files/12286123715.pdf
    • https://cdn.shopify.com/s/files/1/0428/4363/5879/files/makevarawonenez.pdf
    • https://cdn.shopify.com/s/files/1/0432/7194/6396/files/webumuxatunanutuzajabij.pdf
    • https://cdn.shopify.com/s/files/1/0431/2032/8865/files/31377022733.pdf
    • https://cdn.shopify.com/s/files/1/0433/7798/3653/files/wuwinos.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d44.bin
26eac0c8dc98f6e71f69a93d105b414f3f2463319f3480f976ba705b8acd6e48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D44 5564 bytes
font_01_sfnt_off0000804e.bin
ec31ff4c70425d4bf97ca7d2e3790b0af8df69507f22aa4a0cda43b2bc739b5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x804E 13780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.