Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d78d212c0aa0708…

MALICIOUS

PDF

37.2 KB Created: 2020-09-07 18:10:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7129628e7096e8a9fda46eebe8d202f SHA-1: b731986d1e0c952a1b8bc90c09972f971cb313bc SHA-256: 3d78d212c0aa070859070118943560f32fc914bd334946f71418b3fc365fd069
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.me'. The document body, though heavily corrupted, contains the same URL and a keyword suggesting a lure. This indicates the document's primary purpose is to redirect users to a malicious site, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=affidavit+form+australia+qld
    • https://cdn.shopify.com/s/files/1/0428/5536/6822/files/atharvashirsha_ganpati_stotra.pdf
    • https://cdn.shopify.com/s/files/1/0432/7230/6843/files/12346953965.pdf
    • https://cdn.shopify.com/s/files/1/0432/0165/9043/files/aarti_sangrah_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0429/6137/1290/files/acca_f7_revision_notes.pdf
    • https://static.usrfiles.com/ugd/1cc777_eeada0a83086495fbd9468527668e242.pdf
    • https://static.usrfiles.com/ugd/5e81b9_6fd1ea23e3744ac1bc6f3adc665c9430.pdf
    • https://cdn.shopify.com/s/files/1/0440/2734/7109/files/dilejevexomotiwokejiw.pdf
    • https://cdn.shopify.com/s/files/1/0431/6423/7992/files/zuwarosewavabu.pdf
    • https://cdn.shopify.com/s/files/1/0434/6265/6165/files/37168147847.pdf
    • https://cdn.shopify.com/s/files/1/0434/3260/7894/files/31742705914.pdf
    • https://cdn.shopify.com/s/files/1/0431/5319/5157/files/7043818297.pdf
    • https://cdn.shopify.com/s/files/1/0433/5743/8101/files/algo_trading_and_dma.pdf
    • https://cdn.shopify.com/s/files/1/0437/8358/5953/files/xilumito.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005484.bin
e1d8e8c092c688f7c121091841672823ee77bbb1f30100a81d6d3670f06706fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5484 5228 bytes
font_01_sfnt_off0000663f.bin
ae244f75f2281d6db0e2574962c05c794deeeb7195638a8de0f92da400bf6146		 pdf-font-stream PDF embedded font (sfnt) at offset 0x663F 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.