Malicious PDF — malware analysis report

Static analysis result for SHA-256 1cd64335dc86bedc…

MALICIOUS

PDF

41.5 KB Created: 2020-08-16 02:16:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0048bbabf7c9599866dfa78f6ff7de93 SHA-1: eddda7b58f1e624069c50bf87f1e4c86fc4da128 SHA-256: 1cd64335dc86bedcd48968916c7c7ca6efa8decb0d18ae0ae286d495c1a1066b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a high density of external links, many of which point to a link farm hosted on Shopify. One critical heuristic firing indicates a direct link to a known malicious redirector, ttraff.cc. The document body, though heavily obfuscated, contains the same malicious URL and other URLs that are part of the link farm. This suggests the primary purpose is to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=business%20case%20development%20pdf
    • http://jemataros.savannahsunriserotary.org/uploads/1/3/0/7/130776737/709c5cddc22c.pdf
    • http://files.seespotrunllc.com/uploads/1/3/1/6/131606011/fezuxuwofatap.pdf
    • http://baxiv.thewirld.org/uploads/1/3/1/1/131164250/1939317.pdf
    • http://files.lakappas.com/uploads/1/3/0/7/130739746/pujoli-tenexixuri.pdf
    • http://wanof.dianegleimmft.com/uploads/1/3/0/7/130738970/bokenokit-subolinux.pdf
    • https://cdn.shopify.com/s/files/1/0429/3964/6108/files/pufigan.pdf
    • https://cdn.shopify.com/s/files/1/0434/3637/6214/files/83097270548.pdf
    • https://cdn.shopify.com/s/files/1/0428/5746/3964/files/62432815716.pdf
    • https://cdn.shopify.com/s/files/1/0428/7922/1927/files/dezuxazaxujuzuzanup.pdf
    • https://cdn.shopify.com/s/files/1/0436/9232/7077/files/varewuruw.pdf
    • https://cdn.shopify.com/s/files/1/0427/4552/8487/files/guitar_open_chords_chart.pdf
    • https://cdn.shopify.com/s/files/1/0431/8094/9659/files/37245930997.pdf
    • https://cdn.shopify.com/s/files/1/0433/3446/7752/files/81365382301.pdf
    • https://cdn.shopify.com/s/files/1/0434/4319/1960/files/figubudolaz.pdf
    • https://cdn.shopify.com/s/files/1/0437/4790/1592/files/isometric_drawing_lesson.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000659b.bin
e5e30ea474e3f99f58dcfa49928d31ca0e5a3c018ba37174f13bdce7b8cf0015		 pdf-font-stream PDF embedded font (sfnt) at offset 0x659B 5312 bytes
font_01_sfnt_off000077a4.bin
b4a6beeb52ccdbbc207b71aba8832de6d86a7d24778ffbae6e27bf5846e4470c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77A4 9900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.