Malicious PDF — malware analysis report

Static analysis result for SHA-256 1db9ab9dea03021e…

MALICIOUS

PDF

43.6 KB Created: 2020-08-29 18:51:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb8708e90411bfa221818ca57125d901 SHA-1: 1f2fdad078bedc808841e6d172e712f1d6dbdb22 SHA-256: 1db9ab9dea03021ed2fc98cd21751b74759eb9c71c0c79a1b13ea80b95c57717
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=keto+in+five+pdf'. This URL is likely intended to lead the user to malicious content, disguised as a PDF download. The document body also contains this URL, reinforcing the lure. The PDF also contains a large number of external links, many hosted on Shopify, which is flagged as a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=keto+in+five+pdf
    • https://cdn.shopify.com/s/files/1/0434/6406/5190/files/ariostea_marmi_classici.pdf
    • https://cdn.shopify.com/s/files/1/0434/6803/0102/files/manorama_year_book_2020_english.pdf
    • https://cdn.shopify.com/s/files/1/0430/2890/6138/files/46874693526.pdf
    • https://static.usrfiles.com/ugd/b8c837_a3598d9f81614114816d2769add7d672.pdf
    • https://cdn.shopify.com/s/files/1/0432/0998/2107/files/jalizuzapuvu.pdf
    • https://cdn.shopify.com/s/files/1/0431/0073/3596/files/ielts_writing_answer_sheet_task_1_2019.pdf
    • https://cdn.shopify.com/s/files/1/0432/1761/7057/files/mapisuzutujoxapoxeve.pdf
    • https://cdn.shopify.com/s/files/1/0429/0553/4620/files/88905772756.pdf
    • https://cdn.shopify.com/s/files/1/0438/2071/2098/files/70388022381.pdf
    • https://cdn.shopify.com/s/files/1/0438/3303/2864/files/management_a_practical_introduction_7th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0430/9935/7338/files/vascular_malformations_of_the_spinal_cord.pdf
    • https://cdn.shopify.com/s/files/1/0429/4259/5239/files/free_building_brick_wall_powerpoint_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e46.bin
f646e7e7917bab1f1f59a011dfa7e5acebe7531d0ec5f5b128f8ea34d886b2f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E46 4548 bytes
font_01_sfnt_off00007de8.bin
ff44af09bad069698722d3292f955d07c25e6f2324d9a80f9dd8b3b3ac164e60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DE8 10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.