Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c18318499fd4ca1…

MALICIOUS

PDF

35.5 KB Created: 2020-09-08 21:39:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00e256f71a6fc2ea6286ea66f5fb66ec SHA-1: c7f9243f6e079823b29e4cd12012ea59fdfbff73 SHA-256: 1c18318499fd4ca1d85e639841eeda8a6a7535e548c08ed28f7d715fe3b135d6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'ttraff.club'. Additionally, it exhibits a PDF link farm, suggesting an attempt to manipulate search engine results or distribute content broadly. The ML classifier strongly indicates maliciousness. The document body, though corrupted, contains the malicious URL and benign-looking PDF links, likely intended as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=light+my+fire+keyboard+solo+sheet+music
    • https://static.usrfiles.com/ugd/cdb50c_e56c6fc8e24e47b79c6b819971b77046.pdf
    • https://static.usrfiles.com/ugd/4c76bf_dab85b6fad574b85877f21f8ebe634be.pdf
    • https://static.usrfiles.com/ugd/9b7d8a_34728004bfd34d4e9f595f302003ab2c.pdf
    • https://static.usrfiles.com/ugd/b8c837_561be93fb2bf4e8cae146a7f223480b2.pdf
    • https://static.usrfiles.com/ugd/de65f7_376c28c646244a7890613c16cd3e2675.pdf
    • https://static.usrfiles.com/ugd/f65175_7e44f0166993412ba7d97df6e70c49b1.pdf
    • https://cdn.shopify.com/s/files/1/0434/5266/1912/files/vuragipegufijataraxu.pdf
    • https://cdn.shopify.com/s/files/1/0429/0124/2015/files/42556469024.pdf
    • https://cdn.shopify.com/s/files/1/0436/5733/0853/files/xuxudanilofezifek.pdf
    • https://cdn.shopify.com/s/files/1/0428/7594/5113/files/mariano_azuela_obras.pdf
    • https://cdn.shopify.com/s/files/1/0428/5625/1555/files/sosobe.pdf
    • https://cdn.shopify.com/s/files/1/0431/0709/0598/files/pizowebogarapabivusozoz.pdf
    • https://cdn.shopify.com/s/files/1/0433/4583/8239/files/juwoperejubokunazixirozav.pdf
    • https://cdn.shopify.com/s/files/1/0429/8843/7655/files/25601472744.pdf
    • https://cdn.shopify.com/s/files/1/0438/5731/3957/files/experience_certificate_sample.pdf
    • https://cdn.shopify.com/s/files/1/0431/6751/4788/files/suzibipowu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004619.bin
dbaf0dee3b23cf05f251fa1e361a2540fff20f03d046a34da7f0e4bea4db18b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4619 5680 bytes
font_01_sfnt_off0000594f.bin
24f04d60f3e878c65969b35161547596aceafb0fed355913ee253588295b26fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x594F 11676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.