Malicious PDF — malware analysis report

Static analysis result for SHA-256 47fc35b31ff63f64…

MALICIOUS

PDF

51.6 KB Created: 2020-08-31 06:06:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c1ce3bada1f0594247e0df755ae9178f SHA-1: 3846e70718369bbc8e6963af941c78bd4f064b9e SHA-256: 47fc35b31ff63f64c8e7baf54fbfbd31fa4795e0ad901190fe2c9d8e46a950e8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=the+grouchy+ladybug+main+idea'. This indicates the document's primary purpose is to redirect users to a malicious site. The presence of a large number of external PDF links, while many resolve to benign content, suggests a link farm or SEO poisoning tactic to obscure the malicious redirector. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=the+grouchy+ladybug+main+idea
    • https://cdn.shopify.com/s/files/1/0439/2294/8264/files/si_te_e_fallado_te_pido_perdon.pdf
    • https://cdn.shopify.com/s/files/1/0429/1146/5638/files/chuyn_i_file_sang_file_hnh_nh.pdf
    • https://cdn.shopify.com/s/files/1/0429/1421/8151/files/8242927949.pdf
    • https://cdn.shopify.com/s/files/1/0439/9906/8310/files/milwaukee_traffic_cameras.pdf
    • https://cdn.shopify.com/s/files/1/0434/0314/9479/files/king_bernard_video.pdf
    • https://cdn.shopify.com/s/files/1/0428/7217/6796/files/gisabaxegutozar.pdf
    • https://cdn.shopify.com/s/files/1/0433/3728/5797/files/livokinugapejenajijudotuv.pdf
    • https://cdn.shopify.com/s/files/1/0439/4729/4875/files/chithi_na_koi_sandesh_free_video.pdf
    • https://cdn.shopify.com/s/files/1/0433/3282/9342/files/wordly_wise_3000_book_5_lesson_8.pdf
    • https://cdn.shopify.com/s/files/1/0448/4985/6669/files/cement_concrete_ratio_formula.pdf
    • https://cdn.shopify.com/s/files/1/0439/0646/5947/files/jimmy_choo_song_video_mr_jatt.pdf
    • https://cdn.shopify.com/s/files/1/0432/7548/5348/files/16162243839.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008a3b.bin
f8222ec646e6579038cf147b9bbcf5c31c2923d0c28b41456ad96bfa3477ba89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A3B 5368 bytes
font_01_sfnt_off00009c62.bin
6cb1ad991e0d30e4921acc3f7a9507595859bd00a473611a32950e93b7bf200f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C62 10864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.