Malicious PDF — malware analysis report

Static analysis result for SHA-256 3693ba388978946f…

MALICIOUS

PDF

41.9 KB Created: 2020-08-31 05:00:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: adfdee1c0bda2839857b2ce544d17f91 SHA-1: 8b0535765a6152b8cacc24357500ae37e9647d9f SHA-256: 3693ba388978946f7830e6c65ff9972498a7f9e10b20161ecbb6a49e478e0c37
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a prominent link disguised as an offer for free boat plans, which redirects to a known malicious domain (ttraff.com). This indicates a phishing or social engineering attack. The ML classifier strongly supports the malicious nature of the PDF. No scripts were extracted, but the embedded link is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=free+plywood+boat+plans+pdf
    • https://static.usrfiles.com/ugd/0ebc1f_7badf1cf7d5f40579222b0d551b001a3.pdf
    • https://static.usrfiles.com/ugd/7baf93_32d9725231504c3c9c569c4f2434a60f.pdf
    • https://static.usrfiles.com/ugd/43d598_c6b317bdde404defa7000f44bc1da33c.pdf
    • https://static.usrfiles.com/ugd/b8c837_d160ce30a08f43b8a5703c44dd9143de.pdf
    • https://static.usrfiles.com/ugd/a382ee_b454ed3036ea45ebb18848f781739d1a.pdf
    • https://static.usrfiles.com/ugd/16a96a_44d87b3362e54d5fa241c9bc88e5ac2d.pdf
    • https://cdn.shopify.com/s/files/1/0438/7618/8315/files/75424799544.pdf
    • https://cdn.shopify.com/s/files/1/0437/6854/5442/files/social_media_marketing_plan_template_word.pdf
    • https://cdn.shopify.com/s/files/1/0436/9747/1656/files/jijelonet.pdf
    • https://cdn.shopify.com/s/files/1/0434/3581/9173/files/navef.pdf
    • https://static.usrfiles.com/ugd/253000_782c9fdcf82a478caa13e87cb43a948a.pdf
    • https://static.usrfiles.com/ugd/fac845_a62e1592259f42b5b04ce103b3bfbc5a.pdf
    • https://static.usrfiles.com/ugd/b8c837_ff482b99a2044902bd9b5e8ca62e7d65.pdf
    • https://static.usrfiles.com/ugd/b8c837_9785048858594324a5d985888137b020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/u

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064c0.bin
0ccd5cd7dfdac0c89d2f203fc2c5e30310e394fb4c18a1681af8c38e171e4be6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64C0 5324 bytes
font_01_sfnt_off00007700.bin
6b07dd3f74fbdb5cd4225d9c067971ac6a6322ccc4a1c22bf2b81480a697551a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7700 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.