Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb93c67445a14dcb…

MALICIOUS

PDF

41.9 KB Created: 2020-08-06 10:06:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b435742e8da31cc5469ec22066615830 SHA-1: 00993bdd2dd98d80c56280c332217bcc074de1db SHA-256: fb93c67445a14dcbc899969b24840131bc684f1e18c7f86481f5d212e042f55b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF document contains a malicious redirector link disguised as an application form. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic indicates that the embedded URL, 'https://ttraff.com/pify?keyword=absa+foundation+funding+application+forms+pdf', leads to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic further suggests the document is part of a larger scheme to generate traffic through numerous external links. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=absa+foundation+funding+application+forms+pdf
    • http://files.teachingbeth.com/uploads/1/3/0/7/130740211/kakev.pdf
    • http://files.luminescenceholiday.org/uploads/1/3/2/6/132695194/eed1b8c23c19bb.pdf
    • http://vaguja.puregassa.com/uploads/1/3/2/6/132681504/suxurolivuvukaladi.pdf
    • https://cdn.shopify.com/s/files/1/0434/6878/3782/files/24881544267.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pegumi.pdf
    • https://cdn.shopify.com/s/files/1/0432/2738/1924/files/pubulowuxetixazapofa.pdf
    • https://cdn.shopify.com/s/files/1/0440/7522/1144/files/discord_font_formatting.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/povumad.pdf
    • https://cdn.shopify.com/s/files/1/0434/0632/7959/files/dobegijaxowepunazemizinuj.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0234/files/45015738998.pdf
    • https://cdn.shopify.com/s/files/1/0428/5346/6271/files/fukupusogor.pdf
    • https://cdn.shopify.com/s/files/1/0437/4672/1946/files/alphonse_daudet_les_etoiles.pdf
    • https://cdn.shopify.com/s/files/1/0437/0428/7383/files/57177378701.pdf
    • https://cdn.shopify.com/s/files/1/0429/9181/2767/files/hardiebacker_installation.pdf
    • https://cdn.shopify.com/s/files/1/0438/8470/7992/files/cours_de_l_astronomie.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006445.bin
75816bcf530f20e5aaa3699bb514b4f457c558d72dcaecbe1909a9c5684207a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6445 5604 bytes
font_01_sfnt_off0000773a.bin
9915ebdb7190d71bfee5cab1697192b7d44fd17ea6c1b4a295a91539dc4ef9d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x773A 10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.