Malicious PDF — malware analysis report

Static analysis result for SHA-256 51c35ce1cab23f08…

MALICIOUS

PDF

42.9 KB Created: 2020-08-30 20:41:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02f2e85acfeddc6ff2371016054ca83c SHA-1: 6eaaa442e741b3a059ad8058f701b16fa394b66a SHA-256: 51c35ce1cab23f08cfff903e26c5d65b261ded689b2640d89a63ae49cf915b0a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.me/wix?keyword=rockstar+full+movie++720p+hevc'. This URL is presented within the document's body text, disguised as a movie download link. Additionally, the PDF exhibits characteristics of an SEO link farm, with numerous links to other PDF files hosted on Shopify. The ML classifier also strongly flagged this PDF as malicious. The combination of these factors indicates a malicious intent to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=rockstar+full+movie++720p+hevc
    • https://cdn.shopify.com/s/files/1/0435/4641/1160/files/kerala_lottery_result_onam_bumper_2020_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gumuwajufutoz.pdf
    • https://cdn.shopify.com/s/files/1/0434/3437/7372/files/createjs_spritesheet_animation.pdf
    • https://cdn.shopify.com/s/files/1/0434/5082/6919/files/mesitokewibuwokane.pdf
    • https://cdn.shopify.com/s/files/1/0435/9526/8264/files/spanish_language_learning_books_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/5031/1579/files/xelamulimejifidijeruvafer.pdf
    • https://cdn.shopify.com/s/files/1/0434/7897/4616/files/xefoxega.pdf
    • https://cdn.shopify.com/s/files/1/0429/9200/9365/files/kobexamijejafitirixexez.pdf
    • https://cdn.shopify.com/s/files/1/0433/3387/7915/files/buloxufoxejug.pdf
    • https://cdn.shopify.com/s/files/1/0429/6704/0154/files/6110376361.pdf
    • https://cdn.shopify.com/s/files/1/0463/1409/4754/files/89306803686.pdf
    • https://cdn.shopify.com/s/files/1/0431/7596/8928/files/adeptus_astartes_codex_8th.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000679d.bin
bf8af68dfffb6845cc72d6436db0741dd7774af8ec2941eb323697d09da58397		 pdf-font-stream PDF embedded font (sfnt) at offset 0x679D 5740 bytes
font_01_sfnt_off00007b07.bin
8901f1c0b3776d1c2db2130c6590037a766766c1a75fe538f0e4ab3bf4625e42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B07 10528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.