Malicious PDF — malware analysis report

Static analysis result for SHA-256 40ff41c6eeb27a5f…

MALICIOUS

PDF

74.9 KB Created: 2020-08-29 22:09:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: adcbc9929244a619f61a23df0f6226c2 SHA-1: 4f2a46516cfb1213f32bac923501605f08801b67 SHA-256: 40ff41c6eeb27a5ff5baae7b3afeff047cebeaa17badbd44f3c2ceb69c2ca84d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.link/wix?keyword=gemini+7208+car+alarm+manual', is designed to lead users to malicious infrastructure. The document also contains a large number of embedded links to Shopify, suggesting a link farm for SEO manipulation, with the primary malicious link being the most critical IOC. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=gemini+7208+car+alarm+manual
    • https://cdn.shopify.com/s/files/1/0435/3199/3242/files/tolekuzarigozetivugi.pdf
    • https://cdn.shopify.com/s/files/1/0429/1231/7603/files/the_betrayal_of_east_pakistan_bangla.pdf
    • https://cdn.shopify.com/s/files/1/0430/1648/7065/files/rojavuvokaxolopuvoto.pdf
    • https://cdn.shopify.com/s/files/1/0437/7578/7162/files/baaton_ko_teri_song_ringtone.pdf
    • https://cdn.shopify.com/s/files/1/0434/3375/4785/files/bodyweight_strength_training_anatomy_book.pdf
    • https://cdn.shopify.com/s/files/1/0438/6009/9222/files/20168730401.pdf
    • https://cdn.shopify.com/s/files/1/0435/5837/1496/files/galofosulu.pdf
    • https://cdn.shopify.com/s/files/1/0429/4092/4063/files/fovoridapupujogofemutuj.pdf
    • https://cdn.shopify.com/s/files/1/0428/1742/1479/files/xigisuwokela.pdf
    • https://cdn.shopify.com/s/files/1/0433/4456/0281/files/cyanide_happiness_game_apk.pdf
    • https://cdn.shopify.com/s/files/1/0429/0733/6867/files/lubovibotokane.pdf
    • https://cdn.shopify.com/s/files/1/0430/7327/4010/files/hec_aptitude_test_sample_paper.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zizamazigunonafimav.pdf
    • https://cdn.shopify.com/s/files/1/0435/0047/0438/files/carta_para_mi_novio_manualidades.pdf
    • https://cdn.shopify.com/s/files/1/0430/8605/3527/files/17994699274.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da33.bin
86c0662360f90ec20ac898a40d47b6dd318d2dc7a73c9fdf479168cb00d56c1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA33 5344 bytes
font_01_sfnt_off0000ec47.bin
79a45d06cb72fa1fa73c1022556a23d514ed1e5d17cce3e9fea36c82c93bcad7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC47 15920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.