Malicious PDF — malware analysis report

Static analysis result for SHA-256 3564f43169a887bc…

MALICIOUS

PDF

42.9 KB Created: 2020-09-01 01:02:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc2636bc7c9420acb4e833efda3744e8 SHA-1: f32912821823d721fbd53c2e2712c95ea6184088 SHA-256: 3564f43169a887bcaedf1b5cc181819b21221e5d3c2a635baa94f6a47fa05e55
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=who+checks+my+profile+app'. The document body, though heavily obfuscated, also contains this URL and numerous other links to PDF files hosted on Shopify and static.usrfiles.com, indicating a link farm strategy. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern is a lure to a malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=who+checks+my+profile+app
    • https://cdn.shopify.com/s/files/1/0434/6645/7254/files/time_worksheets_grade_4_word_problems.pdf
    • https://cdn.shopify.com/s/files/1/0447/5600/9111/files/7812126902.pdf
    • https://cdn.shopify.com/s/files/1/0435/2707/8042/files/tozejagu.pdf
    • https://cdn.shopify.com/s/files/1/0437/6916/8021/files/marezoxopod.pdf
    • https://static.usrfiles.com/ugd/7041e4_060142e077f3448589e4c8967a5a09e0.pdf
    • https://static.usrfiles.com/ugd/d54300_396f4c3e8fae49d8bdd23b6c5109f783.pdf
    • https://static.usrfiles.com/ugd/e33828_337c7bf3dd1040d5a0ee2c1e6b65902b.pdf
    • https://static.usrfiles.com/ugd/b8c837_bc75df98817d440eaba87af0d092cd52.pdf
    • https://static.usrfiles.com/ugd/2b25b5_7d136f27f53545b28acb7d1e804034fe.pdf
    • https://static.usrfiles.com/ugd/0aab01_0af4048d03bd461b88de578c5a11d509.pdf
    • https://static.usrfiles.com/ugd/735424_67ab9c99c1a24291a768fe960e952075.pdf
    • https://static.usrfiles.com/ugd/7a11b0_765642695932498aa48298c3a2987c9a.pdf
    • https://cdn.shopify.com/s/files/1/0437/0753/1432/files/81361816275.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/18974044055.pdf
    • https://cdn.shopify.com/s/files/1/0427/8855/2870/files/socks_coloring_template.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/8011835234.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068af.bin
ad81503ca4667a7afcd492f2ed44fb71c4ab811f5bb0e2154021d34132652c91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68AF 5432 bytes
font_01_sfnt_off00007b17.bin
161da290ec5210563d3501dad1d144c0e9f549148692479cd336a2354f824e51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B17 10432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.