Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c643deab9c0f4d9…

MALICIOUS

PDF

44.6 KB Created: 2020-08-31 13:04:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb6af904965b4ae197cb2f46bed9aab6 SHA-1: 2d556a3cd44f32e1969f874af88f2021fef11a01 SHA-256: 4c643deab9c0f4d9118561e635a5f99de79e5057849c1bae296d78d72f5d5ecb
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary URL, 'https://ttraff.cc/wix?keyword=buying+a+juicer', is flagged as malicious. This suggests a phishing or scam attempt where users are directed to malicious infrastructure, likely for further exploitation or credential harvesting. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=buying+a+juicer
    • https://static.usrfiles.com/ugd/b8c837_964d35a497eb428086be5af45f294145.pdf
    • https://static.usrfiles.com/ugd/b8c837_0fa239f3bdb440fdab8ffae0ecfc174e.pdf
    • https://static.usrfiles.com/ugd/455f95_346071d9fef54418b5b25a84567145b3.pdf
    • https://static.usrfiles.com/ugd/e3c460_edd90b33fb154933af3a1d39796bed38.pdf
    • https://static.usrfiles.com/ugd/b8c837_649517d3e2b14ba1816d4229783b3e13.pdf
    • https://cdn.shopify.com/s/files/1/0436/1938/5502/files/4350443091.pdf
    • https://cdn.shopify.com/s/files/1/0431/5011/4978/files/node_js_ajax.pdf
    • https://cdn.shopify.com/s/files/1/0429/3584/5017/files/79861934176.pdf
    • https://cdn.shopify.com/s/files/1/0441/3099/2280/files/green_bay_vs_eagles_injury_report.pdf
    • https://cdn.shopify.com/s/files/1/0431/5840/5275/files/visumofesokop.pdf
    • https://cdn.shopify.com/s/files/1/0435/8235/7663/files/final_countdown_sheet_music_keyboard.pdf
    • https://cdn.shopify.com/s/files/1/0436/9642/3080/files/tufezejudulifi.pdf
    • https://cdn.shopify.com/s/files/1/0428/4514/3207/files/22595789903.pdf
    • https://cdn.shopify.com/s/files/1/0432/7076/6750/files/77159874828.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006499.bin
92e8796b1b7069277e753fe86115d42f8ddfcd0251346b3dc2f76a1b0c243e3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6499 4676 bytes
font_01_sfnt_off0000748c.bin
65741a10683bb80907062354e1872550c6f98dac55720e3e76d46bcc8b854ed8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x748C 10516 bytes
font_02_sfnt_off000097ff.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97FF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.