Malicious PDF — malware analysis report

Static analysis result for SHA-256 50117c310d4dd9dc…

MALICIOUS

PDF

124.4 KB Created: 2020-08-06 18:53:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9904cfcb449fcaa739192099480fb7ba SHA-1: cc3c4ffdf89f461be65a1cf2625d4e55f53c0e0d SHA-256: 50117c310d4dd9dc839a9d15da444408cce79a652fe3c17fd6d43143d5ce9f10
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it features a PDF link farm heuristic, suggesting an attempt to manipulate search engine results or distribute content. The document body, though heavily obfuscated, contains the same malicious URL. The primary attack pattern involves luring users through a seemingly legitimate document to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bartleby+herman+melville+pdf
    • http://files.andrewogus.com/uploads/1/3/0/8/130814232/megeruwa_votisojagokida_fisopozol_vamivej.pdf
    • http://files.florenceashley.com/uploads/1/3/0/7/130776363/fufaduxuzataluse.pdf
    • http://files.canagnos.com/uploads/1/3/1/0/131070212/gesidoz.pdf
    • http://files.ken-lab.com/uploads/1/3/0/9/130969461/2164912.pdf
    • http://files.newartbycjepps.com/uploads/1/3/1/6/131636719/4189451.pdf
    • https://cdn.shopify.com/s/files/1/0437/5108/0087/files/small_business_success_stories.pdf
    • https://cdn.shopify.com/s/files/1/0438/3100/1250/files/sidov.pdf
    • https://cdn.shopify.com/s/files/1/0432/0493/5835/files/25981619428.pdf
    • https://cdn.shopify.com/s/files/1/0439/0780/9448/files/531513978.pdf
    • https://cdn.shopify.com/s/files/1/0430/8847/8365/files/daveboluxelulazanorikelap.pdf
    • https://cdn.shopify.com/s/files/1/0434/7199/5033/files/grief_and_loss_workbook.pdf
    • https://cdn.shopify.com/s/files/1/0431/7931/1268/files/xituniforifeji.pdf
    • https://cdn.shopify.com/s/files/1/0437/1313/4757/files/vodefasat.pdf
    • https://cdn.shopify.com/s/files/1/0429/5039/4019/files/2836261706.pdf
    • https://cdn.shopify.com/s/files/1/0440/2728/1558/files/mufofagubowuduwogi.pdf
    • https://cdn.shopify.com/s/files/1/0431/4585/5137/files/4262494302.pdf
    • https://cdn.shopify.com/s/files/1/0432/5831/4912/files/65530303208.pdf
    • https://cdn.shopify.com/s/files/1/0433/6238/6079/files/pendidikan_agama_islam_kelas_10_kurikulum_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e629.bin
3a1d044d24121de9a73da65e73f2decacc9bd2c899e2951761981f900a73c2cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE629 50748 bytes
font_01_sfnt_off00017fc7.bin
94254b651cbc17c773c7b546b49c5085dc7f8d7a0c564036bfa860bf63754aa4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17FC7 5452 bytes
font_02_sfnt_off00019229.bin
1abe598f6dce030ba71af0cff7fe5563d11f2bbcfd3d6e94ff44e9f013241858		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19229 4832 bytes
font_03_sfnt_off0001a381.bin
ae3d12d7bd9f20f1ec7d821edab95a2ee1aba75165a86a4f4e9f4c9f7a833689		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A381 14516 bytes
font_04_sfnt_off0001ce96.bin
354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CE96 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.