Malicious PDF — malware analysis report

Static analysis result for SHA-256 195e8acbfed596f6…

MALICIOUS

PDF

48.4 KB Created: 2020-08-31 23:02:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d7379220b0e9d35a2fd9e25097e7f3da SHA-1: 3739bf4fd0b39f5acb1b6cdfaf5a06de110212e1 SHA-256: 195e8acbfed596f6865d6524cefc29b6cbd1c250351a3b93dd3b53cceda8d752
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, with at least one pointing to a known malicious redirector (ttraff.cc). The document body, though heavily obfuscated, contains the URL and keywords suggesting a lure. The presence of a link farm and a high ML classifier score further indicate malicious intent, likely to redirect users to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9947

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=bootstrap+datepicker+sample
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0460/1407/0945/files/13329618402.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/56070096689.pdf
    • https://cdn.shopify.com/s/files/1/0435/0191/2224/files/keseralelavixepitewigef.pdf
    • https://cdn.shopify.com/s/files/1/0436/4537/0518/files/fusionner_fichier_adobe.pdf
    • https://cdn.shopify.com/s/files/1/0463/2438/3904/files/vidifegigimebazepi.pdf
    • https://static.usrfiles.com/ugd/b8c837_3457e671e6fb4533951ef01701bff528.pdf
    • https://cdn.shopify.com/s/files/1/0432/9055/8620/files/69542506622.pdf
    • https://cdn.shopify.com/s/files/1/0432/4950/0315/files/jurazezuvebevakiti.pdf
    • https://cdn.shopify.com/s/files/1/0430/6799/8362/files/17060813500.pdf
    • https://cdn.shopify.com/s/files/1/0431/7626/3841/files/15210483094.pdf
    • https://static.usrfiles.com/ugd/c162b3_ef721000fcaf47de8baf7e16f2755038.pdf
    • https://static.usrfiles.com/ugd/a467d2_a7797657c5ab4100832ac2566dac987b.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ff9788c1ca747e0bfb57631ec50b7d4.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c52.bin
ef919096a12c0e19f5379ce8869bfc0dad3c2ebb7ea3e0c28dc99e0560e6328a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C52 5332 bytes
font_01_sfnt_off00008e62.bin
6741d3b2b3d42709fe85f59e3016de6129ebe4e5bf12431574188557415bd95f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E62 14788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.