Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbd050e6ed1e6daa…

MALICIOUS

PDF

43.8 KB Created: 2020-08-19 22:25:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ba0c5b6715af225524aa4cef0029b9c9 SHA-1: 6791e11749274f7a1fc9a7f9756b2c2c9a2f2281 SHA-256: fbd050e6ed1e6daa2a4059c75d83aeeadc6a459ac3f4846951befe23c1e5c9cc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=malfeasance+quest+steps+guide'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, including one to 'https://cdn.shopify.com/s/files/1/0433/1978/7675/files/8960066252.pdf'. The document body, though partially corrupted, includes the title 'Malfeasance quest steps guide', suggesting a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=malfeasance+quest+steps+guide
    • http://files.alexandrubujorsculpture.com/uploads/1/3/1/6/131637325/165550730.pdf
    • http://nefuz.withinthewallsyork.com/uploads/1/3/0/7/130740324/1973174.pdf
    • https://cdn.shopify.com/s/files/1/0433/1978/7675/files/8960066252.pdf
    • https://cdn.shopify.com/s/files/1/0438/1527/2605/files/23390277879.pdf
    • https://cdn.shopify.com/s/files/1/0433/9721/8471/files/bhagavad_gita_chapter_12_telugu.pdf
    • https://cdn.shopify.com/s/files/1/0428/6709/7756/files/63122912480.pdf
    • https://cdn.shopify.com/s/files/1/0439/9919/9390/files/sanisesiju.pdf
    • https://cdn.shopify.com/s/files/1/0430/6026/5117/files/pokemon_emerald_psychic_gym_guide.pdf
    • https://cdn.shopify.com/s/files/1/0437/7310/0184/files/fuzezizolikofede.pdf
    • https://cdn.shopify.com/s/files/1/0429/7208/6435/files/birthday_invitation_card_template.pdf
    • https://cdn.shopify.com/s/files/1/0438/6160/6550/files/xadiworikedizat.pdf
    • https://cdn.shopify.com/s/files/1/0439/3431/8760/files/73689733496.pdf
    • https://cdn.shopify.com/s/files/1/0433/2437/5194/files/24001115123.pdf
    • https://cdn.shopify.com/s/files/1/0432/4261/9035/files/kobizusax.pdf
    • https://cdn.shopify.com/s/files/1/0431/7364/2406/files/multiple_pipes_in_c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cdb.bin
dcc3a60d8efdb54cc3fc43aaae6e1daee30d90dbae0348fcf33101c974b1a3ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CDB 5356 bytes
font_01_sfnt_off00007f26.bin
e764b7952fdd7268ce1df52ed2cf289af0c60acbf704fca90f94ad62390d88e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F26 10380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.