Malicious PDF — malware analysis report

Static analysis result for SHA-256 40513f678dd8fb28…

MALICIOUS

PDF

40.4 KB Created: 2020-08-31 18:49:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9f2ab8a19342fba4c21ba575d1c57688 SHA-1: aaf89e5957075d3141198e6f765058e2194f8d1f SHA-256: 40513f678dd8fb281bec6ad9df84cb2f34e6ae67f24f729038286c97c3d1667c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a common tactic for SEO poisoning and redirecting users to malicious sites. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is further contextualized by the document body containing a similar URL. This suggests the primary goal is to lure users to a malicious website, likely for further exploitation or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=video+cutter+and+merger+for+android
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/sejix.pdf
    • https://cdn.shopify.com/s/files/1/0432/9845/5705/files/zamadeturilopitumaviki.pdf
    • https://cdn.shopify.com/s/files/1/0428/4756/8039/files/fiwatudetoketezabozi.pdf
    • https://cdn.shopify.com/s/files/1/0432/7122/5494/files/31651416510.pdf
    • https://static.usrfiles.com/ugd/850f07_c5f4f8d435054473afbe8b4b266a9bd7.pdf
    • https://static.usrfiles.com/ugd/19103d_14e933ccb3f64b1dba504420e8d023fe.pdf
    • https://static.usrfiles.com/ugd/83d902_e888076ade654050ba5e18617c550694.pdf
    • https://static.usrfiles.com/ugd/b8c837_e74f20c329b44d419f1a69cc37a3c590.pdf
    • https://cdn.shopify.com/s/files/1/0440/2629/8533/files/violin_hymn_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0440/6162/2437/files/free_architecture_magazine.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/84593422723.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061fe.bin
05068cbdd1c2c1b50f767a7b2a12d98c66edb56a6a32883af9ddd621b6771d24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61FE 5096 bytes
font_01_sfnt_off00007342.bin
c4cc28f8bc3f421be0f98c59bca0ce622759be34257d6b150259fa6ea9ce4f2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7342 9868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.