Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d519ace1f824469…

MALICIOUS

PDF

76.0 KB Created: 2020-07-24 09:08:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9911d00409e724b286c3273ceb7500b1 SHA-1: e763b58650264c642b399634e235b421ed304432 SHA-256: 1d519ace1f8244695059ac3dd9d255b444aa2df044b93534813177f1223e3c4b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF link farm, with numerous links pointing to external resources, many hosted on cdn.shopify.com. The ML classifier also strongly flagged this PDF as malicious. The embedded document body text appears to be corrupted or obfuscated, but the presence of a URL related to 'mughal architecture' suggests a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=ebba%20koch%20mughal%20architecture%20pdf
    • http://files.rosemontchoirs.com/uploads/1/3/2/7/132710753/c2bc526a927.pdf
    • http://files.mindfulness-heidelberg.de/uploads/1/3/0/7/130739340/nozefadino.pdf
    • http://files.xoforeverpics.com/uploads/1/3/2/7/132740958/risurapojadidopu.pdf
    • http://files.surrenderedtochrist.org/uploads/1/3/2/6/132681656/wulegi.pdf
    • https://cdn.shopify.com/s/files/1/0440/1207/7206/files/fufoje.pdf
    • https://cdn.shopify.com/s/files/1/0431/9969/2958/files/sufafazaka.pdf
    • https://cdn.shopify.com/s/files/1/0433/3545/0774/files/24769217089.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sogogetuxupoxex.pdf
    • https://cdn.shopify.com/s/files/1/0431/6859/6123/files/99370408067.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/48675385277.pdf
    • https://cdn.shopify.com/s/files/1/0437/1080/8213/files/92581143237.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bixebor.pdf
    • https://cdn.shopify.com/s/files/1/0434/0557/4309/files/sedakuwadu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/negonarufefozosaburesid.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ece8.bin
ff52a178bcf427209dd5d2c74cbe429a9ca6d93e8ad1b1c77dd3c920396f19cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECE8 5328 bytes
font_01_sfnt_off0000ff0b.bin
50b58b622dd6878d448a4ef183361830ad425ca2e161e8db5737d6665c64e88d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF0B 10488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.