Malicious PDF — malware analysis report

Static analysis result for SHA-256 239543c6551c7ac5…

MALICIOUS

PDF

55.0 KB Created: 2020-08-30 10:29:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b38495f9ced6d494cf8c182b3f93f715 SHA-1: 51a5d3d97a1fec74a9ea48e39d9e130a46300a93 SHA-256: 239543c6551c7ac5456c42d2056fd031c3c2d9eae98e6a676a58ef6de305957a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, the PDF exhibits characteristics of a link farm, with numerous embedded URLs, many of which are benign Shopify links, but the primary redirector is suspicious. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of a malicious redirector is sufficient to classify this as a malicious document designed to lure users to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=lenda+de+negro+taj+mahal
    • https://cdn.shopify.com/s/files/1/0440/8098/8310/files/ejercicios_de_disoluciones_4_eso_res.pdf
    • https://cdn.shopify.com/s/files/1/0438/3506/4477/files/cannibal_ferox_1983_tamil_dubbed_movie.pdf
    • https://cdn.shopify.com/s/files/1/0437/5104/7329/files/99690584427.pdf
    • https://cdn.shopify.com/s/files/1/0436/5149/8142/files/agar._io_private_server_no.pdf
    • https://static.usrfiles.com/ugd/b8c837_bb9c164d9f764af6adca72799d9bd272.pdf
    • https://static.usrfiles.com/ugd/c63dba_c4ef99cfaa95427ca7192f6c097bd020.pdf
    • https://static.usrfiles.com/ugd/affb4a_a1535b021dfc490189cfdcb566ddb2fb.pdf
    • https://static.usrfiles.com/ugd/b8c837_02fcd7a8c76540ff8357d32089e30245.pdf
    • https://static.usrfiles.com/ugd/72216b_19d6e48a6b8d47aaa86a76399b74b8b4.pdf
    • https://static.usrfiles.com/ugd/b8c837_779f679d34cc4bf49bc449e7b4a11641.pdf
    • https://static.usrfiles.com/ugd/b8bbd7_18bc8464f9ef4af48d13f7d672f6a8ec.pdf
    • https://static.usrfiles.com/ugd/7baf93_e45c17b010e0461eb7ff06d2dd78ad6c.pdf
    • https://static.usrfiles.com/ugd/238140_8a5cbe086c81429ba00f1abe9a117065.pdf
    • https://static.usrfiles.com/ugd/b8c837_80b834759d2c4e9b943af6c63b8f4b64.pdf
    • https://static.usrfiles.com/ugd/3ce946_85e3d369496c4c03b79769ca964c8f4a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b03.bin
dd5276821fa4f6a5403d469f0030fc08ba7e40008a57c7d36824e3119264f86b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B03 4816 bytes
font_01_sfnt_off00007b34.bin
788d9018465c32bbd09fbb7c22d3884b621f978e1fcdc9abcda47d881ed37672		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B34 10428 bytes
font_02_sfnt_off00009e98.bin
6a17998fa51180fb67b9da42954f7444a69f130d4e4be0d654a725e0e49133cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E98 16288 bytes
font_03_sfnt_off0000b450.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB450 4324 bytes
font_04_sfnt_off0000c252.bin
b9472279787e0bd80d4ad3b6f6018263a6735bbe557b78ea9741e68e6ca26a41		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC252 2904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.