Malicious PDF — malware analysis report

Static analysis result for SHA-256 520ac290b5ac0714…

MALICIOUS

PDF

37.8 KB Created: 2020-08-24 13:25:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: acf0bc3a132be7fc925bc9b66445b627 SHA-1: 2c0a70d100d588e853e0281b0598689ea344a6f0 SHA-256: 520ac290b5ac071439ae4efaa2ce0ba34325ef6be1686fa8424b37f4b7028dfc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting seemingly benign PDFs. However, one critical link directs to 'ttraff.com', identified as a malicious redirector. This suggests a phishing or social engineering attack aiming to redirect users to malicious content. The presence of a link farm and a malicious redirector indicates a coordinated effort to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=sepsis+shock+guidelines+2018
    • http://movusaziv.tornadoalleychasing.com/uploads/1/3/0/7/130739113/mafenatigo-rojupuk.pdf
    • https://cdn.shopify.com/s/files/1/0435/3189/4944/files/jolunalod.pdf
    • https://cdn.shopify.com/s/files/1/0432/0693/4688/files/ridibuxuzigurimofavedem.pdf
    • https://cdn.shopify.com/s/files/1/0463/5669/3154/files/lesson_3_homework_practice_dilations_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/0453/4692/files/vatozu.pdf
    • https://cdn.shopify.com/s/files/1/0435/3510/6200/files/24461028536.pdf
    • https://cdn.shopify.com/s/files/1/0432/6621/2003/files/nujuk.pdf
    • https://cdn.shopify.com/s/files/1/0450/6599/4392/files/57772660490.pdf
    • https://cdn.shopify.com/s/files/1/0435/1184/0927/files/borubojoxiwipeke.pdf
    • https://cdn.shopify.com/s/files/1/0434/4964/7264/files/15015890108.pdf
    • https://cdn.shopify.com/s/files/1/0430/7684/5728/files/unisa_online_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0437/4387/1127/files/befutejaf.pdf
    • https://cdn.shopify.com/s/files/1/0428/8443/2038/files/football_template_for_ppt.pdf
    • https://cdn.shopify.com/s/files/1/0436/0346/0259/files/81826247091.pdf
    • https://cdn.shopify.com/s/files/1/0432/5477/5970/files/60106181295.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000542e.bin
21beac1123658817e4146f2181977e0040f2f6a8bccb80a77a430352e20a544d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x542E 5716 bytes
font_01_sfnt_off000067a8.bin
d30ca95d656b3cf4703ba84ef41c71e55403ed634aa675e6166c0254f37bbb27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67A8 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.