Malicious PDF — malware analysis report

Static analysis result for SHA-256 513a5cfc40e10a3b…

MALICIOUS

PDF

47.9 KB Created: 2020-08-31 04:00:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a26a35385c325695b991c6c876b53f32 SHA-1: 85d5fbdd45bf028bef0db86312b3fa1fa9d5af9a SHA-256: 513a5cfc40e10a3b64eb78a4dbf42003a98ef4f490eef282b08b3178340e8ed2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/wix?keyword=masa%25C3%25BCst%25C3%25BC+duvar+ka%25C4%259F%25C4%25B1tlar%25C4%25B1+3d+hareketli', is designed to lead users to malicious infrastructure. Additionally, the PDF exhibits characteristics of a link farm, with numerous embedded links, including one pointing to 'https://cdn.shopify.com/s/files/1/0432/7004/5864/files/map_camp_nou_minecraft.pdf', suggesting a broader SEO poisoning or traffic generation scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=masa%25C3%25BCst%25C3%25BC+duvar+ka%25C4%259F%25C4%25B1tlar%25C4%25B1+3d+hareketli
    • https://cdn.shopify.com/s/files/1/0432/7004/5864/files/map_camp_nou_minecraft.pdf
    • https://cdn.shopify.com/s/files/1/0428/3046/3135/files/1428805458.pdf
    • https://cdn.shopify.com/s/files/1/0427/9602/3975/files/12144276205.pdf
    • https://cdn.shopify.com/s/files/1/0436/1856/6306/files/arabesque_no_1_debussy.pdf
    • https://cdn.shopify.com/s/files/1/0429/2201/6934/files/rasopusadawud.pdf
    • https://cdn.shopify.com/s/files/1/0433/6300/8664/files/profesora_de_ingles_acusada_de_sodof.pdf
    • https://cdn.shopify.com/s/files/1/0428/7430/6727/files/free_background_check_form_for_employment.pdf
    • https://cdn.shopify.com/s/files/1/0431/7901/6360/files/segupezimab.pdf
    • https://cdn.shopify.com/s/files/1/0432/9183/6566/files/62661782099.pdf
    • https://cdn.shopify.com/s/files/1/0427/7701/8524/files/66289074342.pdf
    • https://cdn.shopify.com/s/files/1/0431/9569/5266/files/33653527352.pdf
    • https://cdn.shopify.com/s/files/1/0428/8171/2287/files/git_global_ignore.pdf
    • https://cdn.shopify.com/s/files/1/0434/2831/5293/files/achievement_oriented_leadership.pdf
    • https://cdn.shopify.com/s/files/1/0433/4419/9829/files/adobe_illustrator_report_templates_free.pdf
    • https://cdn.shopify.com/s/files/1/0427/9032/2335/files/lunowefapo.pdf
    • https://cdn.shopify.com/s/files/1/0429/3437/0470/files/clash_of_clans_apk_day_2018.pdf
    • https://cdn.shopify.com/s/files/1/0432/5248/2208/files/python_dict_update.pdf
    • https://cdn.shopify.com/s/files/1/0434/0439/4646/files/www_twu_edu_blackboard.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0434/0439/4646/files/www_twu_edu_blackboard

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ea2.bin
edf517a561ed5132c6c1d5718ac6ff9d870a00e6f43a91762fd168a2279cca75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EA2 6440 bytes
font_01_sfnt_off00005e98.bin
f15255437d540c6520b874b5b796c7f1d987a5f97d1c1284c007327fd4496a64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E98 5588 bytes
font_02_sfnt_off0000716e.bin
297a1dbb16bc04adda73a0856112e81a278cdc0d1ed3e5dee2f67695bd4214d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x716E 13908 bytes
font_03_sfnt_off00009b1a.bin
149cab45689013e99d1aa520d2e5234663aa5d8577b6aae5e423b5d60aeda4c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B1A 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.