Malicious PDF — malware analysis report

Static analysis result for SHA-256 37b9a4ee5b91a61b…

MALICIOUS

PDF

40.6 KB Created: 2020-09-17 02:22:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a51fd01031effd605ccb18aceb12823b SHA-1: 66b8b3c7472869b91fd5ac18dab1ddee6f9f448d SHA-256: 37b9a4ee5b91a61bab1aa910e16db326d098130f1cfe6ca45333d77dfaa46542
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to redirect users to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The ML_NYX_PDF_MALICIOUS flag further supports the malicious nature of the document. The primary malicious URL identified is https://ttraff.me/wix?keyword=jezus+z+nazaretu, which is likely used to distribute further malware or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=jezus+z+nazaretu
    • http://nuzigitiv.nicoleedwardsauthor.com/uploads/1/3/2/6/132696021/tizafubeno-dunew-jugewutitetor-fisoginu.pdf
    • http://tononibif.momspantrykitchen.com/uploads/1/3/2/7/132740708/f850908a.pdf
    • http://zadebeduf.betheluccelkton.org/uploads/1/3/1/4/131453850/8e33fe.pdf
    • http://files.irishbavarianmountainhounds.com/uploads/1/3/1/4/131437815/2769574.pdf
    • http://files.cornishluxuryretreat.co.uk/uploads/1/3/1/8/131856772/kupawades.pdf
    • https://d0b01334-36ac-4c57-830e-e57185da24a8.filesusr.com/ugd/f515ca_3a92f1ccb13d4870b67a07033adf54c0.pdf?index=true
    • https://494ad0d8-7c51-4aa4-ba4c-5fda260cf057.filesusr.com/ugd/3f2390_ce4ba899bf8546a78b00d852b64b51c2.pdf?index=true
    • https://8d33c333-2520-49e4-9997-1b968205ef40.filesusr.com/ugd/9c8fb9_4c3415349e59492fb6aa6c625dd7d6f5.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0427/9091/2159/files/42765327823.pdf
    • https://cdn.shopify.com/s/files/1/0482/9691/9202/files/nemivabarajozif.pdf
    • https://cdn.shopify.com/s/files/1/0430/4489/6917/files/profile_pictures_for_discord.pdf
    • https://cdn.shopify.com/s/files/1/0434/5099/0753/files/2019_excel_weekly_calendar_template.pdf
    • https://cdn.shopify.com/s/files/1/0463/3926/0573/files/jexolupipabuluzewumakapa.pdf
    • https://cdn.shopify.com/s/files/1/0437/2643/8550/files/sadelasasilo.pdf
    • https://cdn.shopify.com/s/files/1/0434/2172/8919/files/lugogojidifelamijanet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fee.bin
456bd2b995dd2bfcc525ab804d8b9217dd323c7286520f2801447d026297b04e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FEE 4688 bytes
font_01_sfnt_off00006fed.bin
4f16907425d64f2d35c985067dfebd9211226807132ecfd24976b78b77b2832f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FED 11616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.