Malicious PDF — malware analysis report

Static analysis result for SHA-256 3018047f6d23949d…

MALICIOUS

PDF

47.0 KB Created: 2020-08-30 12:03:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9765eb986747cba0fdcd83590348c297 SHA-1: bc2201dbc29c6f105725f6f7999329fedec56545 SHA-256: 3018047f6d23949df2affe1efe8bc611d163d263c162da7e39f833bc6885e5bc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the same malicious URL. The primary intent appears to be luring the user to a malicious site via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=configuracion+de+nanostation+m2+para+wifi+etecsa
    • https://cdn.shopify.com/s/files/1/0464/6567/9512/files/jurnal_antifungi.pdf
    • https://cdn.shopify.com/s/files/1/0437/1264/3227/files/billboard_music_awards_2017_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0428/4140/7644/files/spanish_to_english_pocket_dictionary.pdf
    • https://cdn.shopify.com/s/files/1/0431/0935/1585/files/gejarigadej.pdf
    • https://cdn.shopify.com/s/files/1/0462/1854/3258/files/67156422339.pdf
    • https://cdn.shopify.com/s/files/1/0434/7078/2614/files/another_one_bites_the_dust_bass_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0427/9068/2783/files/19965437568.pdf
    • https://static.usrfiles.com/ugd/b9801a_ba3c838a48324139b0bb4eaebf3ce4f7.pdf
    • https://static.usrfiles.com/ugd/19103d_1a478c9b7c824089a9b8824f54061307.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005aa8.bin
fbc59420c96873a82590fdad4899acb6b6a0031aeeb999cabab5d004ef554477		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AA8 5572 bytes
font_01_sfnt_off00006d8c.bin
6d2a3a16cc464ce72cf05976c7f96a31c93af2202e0dc760c37a694345e222ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D8C 1800 bytes
font_02_sfnt_off0000761c.bin
4ae587db36ad0dbe3f94006a8616b5dcad0bf35e6b83b45bd0548bca92eefcb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x761C 10128 bytes
font_03_sfnt_off0000990a.bin
b2563e85233037e3c2780690ed1455257f868516b5a962e54e6ffe29314c9cb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x990A 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.