Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dda869f704d76c2…

MALICIOUS

PDF

54.8 KB Created: 2020-07-30 20:46:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 998997905bd5cc2150583607f188e1a0 SHA-1: 420de5a4ca9de66a1b5c5797f128b1746ec64576 SHA-256: 3dda869f704d76c2d45792b4129a656a80faf3dc25e6c7e6a14755d5c8aa6ad1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as 'Calvinism theology pdf'. This link points to 'ttraff.com', a known malicious redirector. The document also features a large number of external PDF links, likely for SEO manipulation or to host further malicious content. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=calvinism+theology+pdf
    • http://files.goographene.com/uploads/1/3/2/3/132302998/5688440.pdf
    • http://files.southernaddictiondecor.com/uploads/1/3/1/0/131070161/683911c33.pdf
    • http://files.masakanekodesign.com/uploads/1/3/1/3/131379860/tomomilepodawiw.pdf
    • https://cdn.shopify.com/s/files/1/0433/0595/9574/files/bopuzebesu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3242/0262/files/86691066444.pdf
    • https://cdn.shopify.com/s/files/1/0433/0124/0985/files/zagutizibunuw.pdf
    • https://cdn.shopify.com/s/files/1/0434/5616/8093/files/rurabupanuwo.pdf
    • https://cdn.shopify.com/s/files/1/0430/7147/1767/files/35645723456.pdf
    • https://cdn.shopify.com/s/files/1/0433/1143/1838/files/7703545269.pdf
    • https://cdn.shopify.com/s/files/1/0432/2692/3172/files/rugitidafazurogesutujoni.pdf
    • https://cdn.shopify.com/s/files/1/0431/7757/4551/files/fomagowofarafejoza.pdf
    • https://cdn.shopify.com/s/files/1/0431/5312/9640/files/dedunanagunuxiwuroneg.pdf
    • https://cdn.shopify.com/s/files/1/0428/0070/9791/files/3038152678.pdf
    • https://cdn.shopify.com/s/files/1/0437/3164/8661/files/23296405737.pdf
    • https://cdn.shopify.com/s/files/1/0433/2689/8344/files/686547572.pdf
    • https://cdn.shopify.com/s/files/1/0430/8946/1410/files/50431422827.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0430/7147/1767/files/35645723456

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000990f.bin
8d25e067e0fb658703eda860f0cb297a692b171360eed4d011252c21b3f95d12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x990F 5332 bytes
font_01_sfnt_off0000ab1d.bin
661e84b7efda428f467cdb76abdf1682168f431b9d6feff2cb7358108ad25ba7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB1D 10224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.