Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f4730312c7d4ef6…

MALICIOUS

PDF

79.2 KB Created: 2020-08-02 01:18:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa839cef799844c99b9de5b8e50cacab SHA-1: 78dbd5e14816d5c605289778c078e6607194a677 SHA-256: 1f4730312c7d4ef6e1ccba3e56457ed642716c46e9f1567663430d2a3b3bb496
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is likely used to obscure the final destination. The document body contains garbled text but also includes the URL and keywords related to 'Warframe' and 'directx admin', suggesting a lure for users searching for game-related downloads. The PDF also hosts a large number of links to other PDFs on Shopify domains, indicating a link farm for SEO poisoning or traffic redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=warframe+directx+admin
    • http://files.kellymchugh.org/uploads/1/3/0/8/130813829/53afa38b48b59.pdf
    • http://files.travismammedatyart.com/uploads/1/3/2/3/132303147/6ac1fd74.pdf
    • http://files.uvoholicsanonymous.com/uploads/1/3/0/7/130775354/maxibupe.pdf
    • http://files.gympiejuniorrugbyleague.com/uploads/1/3/1/4/131483009/8171092.pdf
    • http://files.artsandwellnessofedenton.com/uploads/1/3/0/7/130740586/tatenutomav.pdf
    • https://cdn.shopify.com/s/files/1/0431/4746/0768/files/rajun.pdf
    • https://cdn.shopify.com/s/files/1/0432/8577/4502/files/77539801689.pdf
    • https://cdn.shopify.com/s/files/1/0437/5799/4138/files/lokusodaluxoziduxib.pdf
    • https://cdn.shopify.com/s/files/1/0427/4513/5260/files/85579833766.pdf
    • https://cdn.shopify.com/s/files/1/0440/2577/4245/files/mawibowuzozutej.pdf
    • https://cdn.shopify.com/s/files/1/0428/7945/1289/files/85972780092.pdf
    • https://cdn.shopify.com/s/files/1/0435/1698/5503/files/pumawewuvarixekom.pdf
    • https://cdn.shopify.com/s/files/1/0430/1615/9381/files/jarate.pdf
    • https://cdn.shopify.com/s/files/1/0431/1757/6354/files/android_lock_screen_removal.pdf
    • https://cdn.shopify.com/s/files/1/0430/4253/7629/files/17938179839.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/85755015361.pdf
    • https://cdn.shopify.com/s/files/1/0436/3599/8880/files/93113621319.pdf
    • https://cdn.shopify.com/s/files/1/0430/9093/5969/files/remove_nan_from_list_python.pdf
    • https://cdn.shopify.com/s/files/1/0430/1701/1353/files/rikat.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00011d4a.bin
86080a04ebd78c763bf26cb6368b1a231e23f9dd80b9fbcaa967b2208a50f933		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11D4A 6504 bytes
font_00_sfnt_off00007ff6.bin
696a81e84d583080892157656baf155fffa2942e40915b42bf972e5d124c7400		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FF6 7516 bytes
font_01_sfnt_off0000937b.bin
a5b279f02d72b9a9f90a20f4d0ea34bc529691a211e0332fc8c824e18e1de280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x937B 3148 bytes
font_02_sfnt_off00009eba.bin
d07bbb875b37aa848e1430bd15e03926af24c9d5ab13abb73a8195cc69983987		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9EBA 5036 bytes
font_03_sfnt_off0000af9a.bin
06620024b44374a83b8c1884f59b4bec392d08253552662d24842b9828248703		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF9A 6280 bytes
font_04_sfnt_off0000bf05.bin
d4aac78ed936d81c47a0bbf7d6f1b69cbf517259c650a12b940aa0e94fb8aacf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF05 27556 bytes
font_05_sfnt_off0001066a.bin
fc4faafdc9afcc7236efe9fd833077fe74085339bb31e8ca6b49519969d1b3b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1066A 16572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.