Malicious PDF — malware analysis report

Static analysis result for SHA-256 24f02c7b67cd95ba…

MALICIOUS

PDF

47.0 KB Created: 2020-08-16 14:07:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a01ae6837befcdd2f0d0b5b72269047a SHA-1: ae352bf476e2ceab8f5ad4424b23910d28ac1c77 SHA-256: 24f02c7b67cd95bae38dd8bce11f7c52cfa86510707eecf9a55d2a05eeacc7c6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure related to '1970s platform shoes wood', which is also present in the malicious redirector URL. The primary intent appears to be directing the user to malicious infrastructure via the 'ttraff.cc' redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=1970s+platform+shoes+wood
    • http://files.saaabeoftexas.com/uploads/1/3/1/3/131380849/1390828.pdf
    • http://files.foodloveblog.com/uploads/1/3/1/3/131380868/vosirijofa.pdf
    • https://cdn.shopify.com/s/files/1/0430/9581/8404/files/magenta_pixie.pdf
    • https://cdn.shopify.com/s/files/1/0436/8426/6137/files/16149017016.pdf
    • https://cdn.shopify.com/s/files/1/0436/1070/1981/files/kevunelazisezeru.pdf
    • https://cdn.shopify.com/s/files/1/0434/1324/2005/files/63421165378.pdf
    • https://cdn.shopify.com/s/files/1/0435/5263/7091/files/90828656018.pdf
    • https://cdn.shopify.com/s/files/1/0431/5168/7848/files/vudinewivago.pdf
    • https://cdn.shopify.com/s/files/1/0431/8055/6452/files/78807364660.pdf
    • https://cdn.shopify.com/s/files/1/0430/8385/8080/files/pedunezuzelavinosove.pdf
    • https://cdn.shopify.com/s/files/1/0433/6353/2951/files/20528012148.pdf
    • https://cdn.shopify.com/s/files/1/0437/4259/3189/files/menamonazete.pdf
    • https://cdn.shopify.com/s/files/1/0429/6117/4684/files/denepekani.pdf
    • https://cdn.shopify.com/s/files/1/0429/9161/6153/files/37634644017.pdf
    • https://cdn.shopify.com/s/files/1/0435/0243/6518/files/befoda.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c52.bin
e6fd56425df8be9a823a79b358140c8ef9018d07ad86cb17eec6afe5d7db2ba1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C52 5340 bytes
font_01_sfnt_off00007e8a.bin
549032ca8e70aa4e3618bc941fe0b06ca3ca89f50ccd09dc36c529977c5960d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E8A 10144 bytes
font_02_sfnt_off0000a144.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA144 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.