Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d0c2f72bb190c4f…

MALICIOUS

PDF

61.5 KB Created: 2020-09-06 15:49:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aee05272d6422ba65b3e8b87b005e986 SHA-1: 5d1e00e7b5e5f2daab961232ebd4400b2a884340 SHA-256: 2d0c2f72bb190c4f1807484dde684bbdb465c367e21cb34f2e10a40fa53f80d8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link pointing to 'https://ttraff.club/wix?keyword=makkar+ielts+speaking+pdf+september+2018', disguised as a lure for IELTS study materials. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms this malicious intent. Additionally, the PDF exhibits characteristics of a link farm, with numerous external links, as indicated by 'PDF_SEO_LINK_FARM'. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=makkar+ielts+speaking+pdf+september+2018
    • https://cdn.shopify.com/s/files/1/0432/9275/4080/files/nawabigeliti.pdf
    • https://cdn.shopify.com/s/files/1/0430/0469/0581/files/65947764313.pdf
    • https://cdn.shopify.com/s/files/1/0437/7044/5982/files/zajadonozakuvepurijebo.pdf
    • https://cdn.shopify.com/s/files/1/0430/8949/4177/files/51463958091.pdf
    • https://cdn.shopify.com/s/files/1/0434/1124/3164/files/aep_report_power_outage_columbus_ohio.pdf
    • https://cdn.shopify.com/s/files/1/0431/8317/7887/files/gaxobekutixasojis.pdf
    • https://cdn.shopify.com/s/files/1/0458/6605/7881/files/android_app_for_windows_keyboard.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/73633131036.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52733892229.pdf
    • https://cdn.shopify.com/s/files/1/0431/0600/9255/files/88782022099.pdf
    • https://cdn.shopify.com/s/files/1/0433/6635/0998/files/14224696196.pdf
    • https://cdn.shopify.com/s/files/1/0437/8309/4434/files/73233587343.pdf
    • https://cdn.shopify.com/s/files/1/0461/9003/5095/files/former_badger_basketball_players.pdf
    • https://cdn.shopify.com/s/files/1/0437/6972/5080/files/vevo_songs_2019.pdf
    • https://cdn.shopify.com/s/files/1/0430/2805/4169/files/77224197730.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000aa37.bin
27191247f3210a14ba90080910ef72dde0f42bdfcedfec3f3a51949a94415c6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA37 6088 bytes
font_01_sfnt_off0000beea.bin
c23caee12dd5f188b19d4855235869d348709080e99e8f6379fecaff42968471		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBEEA 13748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.