Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d419358197168be…

MALICIOUS

PDF

48.6 KB Created: 2020-09-18 05:16:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9cabd4681bb5197ebea5ac35077dbf87 SHA-1: 37c1ef61f70b3873281ee738713b7c9f39221cb1 SHA-256: 3d419358197168be2e60af9b25989469f04e4c9f2709f000bbee22fcaff5e95a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link disguised as a game guide, which redirects to a malicious URL (ttraff.me). This is further supported by heuristics indicating a malicious redirector and a link farm. The ML classifier also flagged this PDF with high confidence. No scripts were extracted, but the presence of a malicious redirector and the lure text suggest a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=maplestory+2+thief+guide+2019
    • http://lofenex.kriyastrology.com/uploads/1/3/2/6/132681229/jodanovupenejutepide.pdf
    • http://zilezoze.investwithsmdc.com/uploads/1/3/2/8/132814956/zutuzifixi.pdf
    • http://varaxuj.unityofheartfalmouth.com/uploads/1/3/0/8/130874330/vuvolelibim.pdf
    • http://zogebe.plainfieldspanish.com/uploads/1/3/0/8/130814017/b47e6d1f8275d9.pdf
    • http://files.csd86.com/uploads/1/3/2/6/132681969/joforujinavoba-voripudew-xujabuvumub-tomotijotaj.pdf
    • https://cdn.shopify.com/s/files/1/0439/5663/3758/files/southwest_check_in.pdf
    • https://cdn.shopify.com/s/files/1/0461/9688/3614/files/prevention_of_rh_d_alloimmunization_acog.pdf
    • https://cdn.shopify.com/s/files/1/0438/1533/8144/files/kasozod.pdf
    • https://cdn.shopify.com/s/files/1/0437/6998/7223/files/moraniwijagakubipam.pdf
    • https://2daf06ea-e912-4434-801f-ec63d61fa632.filesusr.com/ugd/69b86f_9dfac40ca543469a8a29f8d84886891a.pdf?index=true
    • https://e0492697-c66a-45e2-9a1e-209d6c066507.filesusr.com/ugd/fc840b_134dbd53b85e42998c5b8fa26d6775aa.pdf?index=true
    • https://bc83117e-7bca-4d16-a6a0-a97a8e478125.filesusr.com/ugd/f6a907_d56f1c1f393842bcab0463312b8e13b4.pdf?index=true
    • https://179e6e4d-95d9-4325-ba77-db2cbc567d24.filesusr.com/ugd/f09a9d_284209c6bf6e4416ae7453475fad2df2.pdf?index=true
    • https://783c75d8-09bb-4bba-b202-57e9a2ad611c.filesusr.com/ugd/0251f0_698aeb6d59d940529a62c118c579e3b1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007404.bin
79228b60ee15860f095b145f7600609934a1da8d4db65e2cc72a1b8819a75a73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7404 5892 bytes
font_01_sfnt_off00008823.bin
3c9439b67e188f26d03a77dab3502cf0d974bac20a43a0b41510537c08d4d8e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8823 14428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.