Malicious PDF — malware analysis report

Static analysis result for SHA-256 ffe7b8dc1291d23f…

MALICIOUS

PDF

161.0 KB Created: 2020-08-10 09:35:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b82e97c850f01db256e8e6c7a3fa7c41 SHA-1: cba5e15ce0ba89edb2f0eddcc9139ae227cf04fd SHA-256: ffe7b8dc1291d23f97d66be05b88bff4b4696ca3a47d7fd150bfe4892712137b
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link to 'https://ttraff.ru/pify?keyword=ajanta+mural+paintings+pdf'. This URL is the primary indicator of malicious intent, likely serving as a lure for phishing or malware delivery. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, and the document body was heavily obfuscated, but the presence of the malicious URL is sufficient for a high-confidence assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ajanta+mural+paintings+pdf
    • http://razepoki.elizabethlaude.com/uploads/1/3/1/3/131380429/1766588.pdf
    • http://files.skilletruf.net/uploads/1/3/2/6/132681992/7984705d.pdf
    • http://files.peninsulahotel.net/uploads/1/3/2/7/132740547/8960341.pdf
    • https://cdn.shopify.com/s/files/1/0434/7035/6637/files/18026984249.pdf
    • https://cdn.shopify.com/s/files/1/0440/9648/7576/files/backpacking_gear_list.pdf
    • https://cdn.shopify.com/s/files/1/0435/2340/8023/files/sozebakaro.pdf
    • https://cdn.shopify.com/s/files/1/0440/1260/1502/files/fur_elise_piano_sheet_music_with_letters.pdf
    • https://cdn.shopify.com/s/files/1/0429/4157/9420/files/1411877369.pdf
    • https://cdn.shopify.com/s/files/1/0432/8764/2267/files/taweginowutoxotube.pdf
    • https://cdn.shopify.com/s/files/1/0437/0114/1657/files/96333380661.pdf
    • https://cdn.shopify.com/s/files/1/0435/1387/2548/files/47182136309.pdf
    • https://cdn.shopify.com/s/files/1/0437/5016/2581/files/42107425714.pdf
    • https://cdn.shopify.com/s/files/1/0433/0166/6969/files/82676451192.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023185.bin
7438dc61928a8b9946bd559d00e20d610e3e1cb92f68126c4829ae87fdc272f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23185 3796 bytes
font_01_sfnt_off00023ee3.bin
dff44088d4e0064a7878854e64e5dab71f515bf81c1104ae66aae1ac61293548		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23EE3 5428 bytes
font_02_sfnt_off0002514a.bin
d80a8918bbb8e4d59e9d0010e48d82870df9a733797b84811798e5f65096754e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2514A 11044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.