Malicious PDF — malware analysis report

Static analysis result for SHA-256 290e054e6e99942d…

MALICIOUS

PDF

121.9 KB Created: 2020-09-10 10:42:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00e6ba30cc049180fa921e14e3c6322e SHA-1: a275e4eec0fd7264ea1f9fbd67a3b5c44ab0fc8b SHA-256: 290e054e6e99942d59b14baa2ca87a62cbb0c4aa2e1770cf2361bafe9931e4dc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link that points to ttraff.com, which is known for hosting malicious content. The document body, though heavily obfuscated, contains the same URL. The PDF also features a large number of external links, many of which point to PDF files, suggesting a link farm or SEO poisoning tactic. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=tutorialspoint%20ms%20word%202007%20pdf
    • http://files.jacquelinedeangelis.com/uploads/1/3/2/6/132681394/gonaz-bofewubam-tomavo.pdf
    • http://files.divinesoulenergy.com/uploads/1/3/0/9/130969819/d55ccdadbe3c.pdf
    • http://ravuronaj.tummystuffer101.com/uploads/1/3/0/7/130739431/timuwubow.pdf
    • http://zipidulu.highstitch.com/uploads/1/3/0/9/130969959/tutiketusokikukemoz.pdf
    • https://cdn.shopify.com/s/files/1/0428/8702/0703/files/13242087964.pdf
    • https://cdn.shopify.com/s/files/1/0446/2352/8099/files/fibixemepigenososozudij.pdf
    • https://cdn.shopify.com/s/files/1/0439/9392/3742/files/balu_mahi_film_songs.pdf
    • https://static.usrfiles.com/ugd/a86d68_1e2a51e6275b483fa4e9c6f9416e390a.pdf
    • https://static.usrfiles.com/ugd/19103d_512b9a5c97a146e782a51c3a6bd78bfd.pdf
    • https://static.usrfiles.com/ugd/027f51_9bf1d6b3c9c042e98005c56529efc628.pdf
    • https://static.usrfiles.com/ugd/bfd504_28c2a3edc83c4154915ba89103da76ef.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_9cfc241dbd0449e09ad0ff9e178858bd.pdf
    • https://static.usrfiles.com/ugd/cd1d52_b10d6155588741efb273527e8ad64590.pdf
    • https://static.usrfiles.com/ugd/c7ef1a_3fcdc12db79441c58d8c851379cd78f7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001a32b.bin
617892405f782372139300898c6b6eced6e56b2a76894b800b841200fbd97eb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A32B 5584 bytes
font_01_sfnt_off0001b625.bin
c5ccf43666b8fcbd0fa897260eb8ed2ab4792b58a6f0b13d3b16813a6a033214		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B625 10508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.