Malicious PDF — malware analysis report

Static analysis result for SHA-256 3cf33795df20691a…

MALICIOUS

PDF

44.5 KB Created: 2020-08-18 14:53:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a96462c69606281772195cca2192a41f SHA-1: 481db9d44fb8844b725e3d7b0d8c0b4e11095254 SHA-256: 3cf33795df20691adf8d2a74997dfc558bf66d6bcb97ef4a9b32b4d9907b59b5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass of external links, including a critical redirector link to 'ttraff.cc' which is associated with malicious activity. The document body, though heavily obfuscated, contains the string "Best video er facebook android" and the malicious redirector URL, suggesting a lure to entice users to click through to potentially harmful content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=best+video+er+facebook+android
    • http://jupis.mrtoddsclassroom.com/uploads/1/3/1/3/131380213/3bb8879153d788.pdf
    • http://files.ebresearch.org/uploads/1/3/0/8/130874411/miziluzivujogujuji.pdf
    • http://files.timwarnerlab.org/uploads/1/3/0/9/130969714/9903433.pdf
    • https://cdn.shopify.com/s/files/1/0432/9802/9733/files/9360554493.pdf
    • https://cdn.shopify.com/s/files/1/0428/8138/4604/files/72734074481.pdf
    • https://cdn.shopify.com/s/files/1/0428/1827/3446/files/askep_fistula_ani.pdf
    • https://cdn.shopify.com/s/files/1/0435/4405/1864/files/loposowuzakofatala.pdf
    • https://cdn.shopify.com/s/files/1/0435/0846/5828/files/62136689930.pdf
    • https://cdn.shopify.com/s/files/1/0437/4603/3818/files/dakutenag.pdf
    • https://cdn.shopify.com/s/files/1/0431/5106/5243/files/wepagexutopotefojez.pdf
    • https://cdn.shopify.com/s/files/1/0432/6581/8789/files/dyt_4000_parts.pdf
    • https://cdn.shopify.com/s/files/1/0434/5842/9089/files/85669852417.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062a3.bin
727e3dde50e491c4862ad451b16105377b855710bb6d7dc3f061a1424fefd4f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62A3 5084 bytes
font_01_sfnt_off00007405.bin
d2eb9a3968e654de227832b184bcb8bb4d3e53bfd1b6f519bdf08fe9a20e3bae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7405 10120 bytes
font_02_sfnt_off000096be.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96BE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.