Malicious PDF — malware analysis report

Static analysis result for SHA-256 30e1b69cb2d0158f…

MALICIOUS

PDF

48.7 KB Created: 2020-08-30 09:41:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 99bb703684596b572918c0ea4d45f1f5 SHA-1: 6393fc9beb84b87a222f52a26eef338368af9e08 SHA-256: 30e1b69cb2d0158f620fe859bd08af5dd6833a022f162f4fb0a56fa543e38d3f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a prominent link disguised as a free download for automotive mechanic books. This link, however, redirects to a known malicious domain, ttraff.cc, indicating a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains the malicious URL and references the lure content. The presence of numerous embedded links further supports the SEO-based lure tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=automotive+mechanic+books+pdf+free+download
    • https://static.usrfiles.com/ugd/b8c837_37139062dca7476993837f8d383cc0a0.pdf
    • https://static.usrfiles.com/ugd/e745be_1fbe667f26534da194063d2e3aaf6569.pdf
    • https://static.usrfiles.com/ugd/b8c837_a7dd1623cdc14e0389253627334ffbe6.pdf
    • https://static.usrfiles.com/ugd/48d9a1_09b1dfbeae6249e3b5158ccca7ee3c58.pdf
    • https://static.usrfiles.com/ugd/c1615c_164a2aac787d4db68b4e0d6ba89b3e5c.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2959/files/rubesenupax.pdf
    • https://cdn.shopify.com/s/files/1/0436/9963/4326/files/window_cleaning_letter_templates.pdf
    • https://cdn.shopify.com/s/files/1/0429/6415/6582/files/neumonia_adultos.pdf
    • https://cdn.shopify.com/s/files/1/0433/9036/9942/files/motorola_apx_4000_holster.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/semigo.pdf
    • https://cdn.shopify.com/s/files/1/0433/3761/3461/files/84453232746.pdf
    • https://cdn.shopify.com/s/files/1/0429/9502/4033/files/73417089220.pdf
    • https://cdn.shopify.com/s/files/1/0428/0667/3574/files/34193221002.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000665c.bin
6bc182d7d0a1c09ac4a95a38fdb739746b8e7acad42a4364b3e36cd598e336eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x665C 5740 bytes
font_01_sfnt_off000079ce.bin
89454d8ece1be00d2333aac76955f46ed17c4d141322e635bf27f42efb43e54e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79CE 2116 bytes
font_02_sfnt_off0000839a.bin
899fbaa09ea09d676b0a33aa6cd732337aaf450f63748dd4e446a600097ee446		 pdf-font-stream PDF embedded font (sfnt) at offset 0x839A 15532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.