Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f8cee7c94459f1a…

MALICIOUS

PDF

41.5 KB Created: 2020-09-01 22:39:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 988617eeb0a82774983d590aa008cb2f SHA-1: 5b58be0cc2190935074395a50316442244beb9e2 SHA-256: 4f8cee7c94459f1a06510aa1c9e10227e02d4839d9aa13a12902b5836b492ea6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF file that contains a large number of embedded links, identified as a PDF link farm. One of the primary links, https://ttraff.cc/wix?keyword=example+of+introduction+for+recommendation+report, is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains text related to a recommendation report and the redirector URL. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=example+of+introduction+for+recommendation+report
    • https://static.usrfiles.com/ugd/b8c837_de08946a9d27462793c77bec0e9c467d.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ad4ce883e724c28ab0be85e305d562f.pdf
    • https://static.usrfiles.com/ugd/a298ce_cc53e0b2e7644c58bb49352abd04129b.pdf
    • https://cdn.shopify.com/s/files/1/0432/1725/6603/files/caccia_al_tesoro_indovinelli.pdf
    • https://cdn.shopify.com/s/files/1/0431/2412/9946/files/surikowerutilew.pdf
    • https://static.usrfiles.com/ugd/40512e_9cf5100c467343b8a089f611dccc1d8c.pdf
    • https://static.usrfiles.com/ugd/0a593f_e4eab79ab278450187e656e11b028e21.pdf
    • https://static.usrfiles.com/ugd/e8506d_5bf93a27502445b0ad57fe43de6b084c.pdf
    • https://static.usrfiles.com/ugd/b8c837_bf551a7e46aa44c3a958e961fa977820.pdf
    • https://static.usrfiles.com/ugd/a64c8c_7daefbeca65c4c84bf25a0ffa1b0cb33.pdf
    • https://cdn.shopify.com/s/files/1/0428/3239/6447/files/76864361331.pdf
    • https://cdn.shopify.com/s/files/1/0463/4971/3569/files/xipatiwemek.pdf
    • https://cdn.shopify.com/s/files/1/0431/0574/7108/files/57595555083.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062df.bin
27cb3b2cbc78a8ade3c87166ad268ca9600eac1279aa3e06dded59c9f413745d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62DF 5148 bytes
font_01_sfnt_off00007456.bin
c2bd7b4f9c971eb400943a2913982741cdd585a2303c3d90092299f566ed4fcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7456 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.