Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ffedbc16c56389e…

MALICIOUS

PDF

59.9 KB Created: 2020-08-16 19:03:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8fa89bad0bb6faafa540a34fe22fa11 SHA-1: fdccf30cdbd1398bf9d68670533a244da569303d SHA-256: 1ffedbc16c56389e18f899fdd7acca8294f7e553bf1413cf4d0ebe4e677d2fc8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as a guide for 'Summoners War'. The PDF also contains a large number of embedded links, many pointing to shopify.com, suggesting a link farm or SEO poisoning tactic to drive traffic to malicious sites. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=summoners+war+fire+homunculus+guide
    • http://files.theothershoe.net/uploads/1/3/0/7/130740536/c59b147.pdf
    • http://files.heartandmindofaleader.com/uploads/1/3/0/8/130874029/75d669c3184657f.pdf
    • https://cdn.shopify.co
    • https://cdn.shopify.com/s/files/1/0431/9353/2573/files/21873802217.pdf
    • https://cdn.shopify.com/s/files/1/0436/0051/1138/files/fotopilevilovojefo.pdf
    • https://cdn.shopify.com/s/files/1/0428/0611/6511/files/venafamoketufewokimotagut.pdf
    • https://cdn.shopify.com/s/files/1/0435/5470/1463/files/7428406088.pdf
    • https://cdn.shopify.com/s/files/1/0429/7208/6423/files/kuwivexaduroroduzit.pdf
    • https://cdn.shopify.com/s/files/1/0434/4155/3575/files/sanulojiz.pdf
    • https://cdn.shopify.com/s/files/1/0431/3215/8116/files/mivetikuluwezujuki.pdf
    • https://cdn.shopify.com/s/files/1/0436/4576/3744/files/76219306776.pdf
    • https://cdn.shopify.com/s/files/1/0431/4906/6397/files/m1_garand_disassembly.pdf
    • https://cdn.shopify.com/s/files/1/0431/2308/1378/files/lightning_protection_using_lfa_lightning_frequency_arrester.pdf
    • https://cdn.shopify.com/s/files/1/0431/4886/9786/files/60874051200.pdf
    • https://cdn.shopify.com/s/files/1/0429/6241/9863/files/mudot.pdf
    • https://cdn.shopify.com/s/files/1/0430/4565/0586/files/xuvagaroko.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000090b7.bin
e1ace70b49154b8f29671fa9dd7116bc1f9fcae2b5adcb004b6f4e609a78730e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90B7 5628 bytes
font_01_sfnt_off0000a3ac.bin
f5617a8c015c9f883d2eef6d9220097c31f1590c100533f3bec6ccae121d4680		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3AC 13176 bytes
font_02_sfnt_off0000cd34.bin
39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD34 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.