Malicious PDF — malware analysis report

Static analysis result for SHA-256 52b4edaedc30888f…

MALICIOUS

PDF

105.8 KB Created: 2020-07-29 06:24:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb82a782df9083e0d85791b322b5aa80 SHA-1: 7ac91f79cc378a660576424caf577d05a62698ce SHA-256: 52b4edaedc30888fbd2f2268d97b7e3d889a805e094d4d1db61e619ee4e7ad96
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large link farm. The primary malicious URL identified is ttraff.com, which is known for redirecting to malicious infrastructure. The document body contains garbled text, suggesting it is not intended for human consumption but rather to host these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=responsible+answerable+synonyms
    • http://files.the12thcan.org/uploads/1/3/2/8/132814155/7596359.pdf
    • http://files.pattidunne.com/uploads/1/3/1/1/131164431/3823370.pdf
    • http://files.anncartermedium.com/uploads/1/3/0/8/130873983/jomopikoru.pdf
    • http://files.fatbellybassmasters.com/uploads/1/3/2/7/132740552/591523.pdf
    • http://files.estellessweetitchblankets.com/uploads/1/3/1/4/131409170/tixavaxanepuluxuvit.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gowaluzefep.pdf
    • https://cdn.shopify.com/s/files/1/0430/1137/5267/files/rebus.pdf
    • https://cdn.shopify.com/s/files/1/0430/0052/9049/files/50184370285.pdf
    • https://cdn.shopify.com/s/files/1/0432/9416/3109/files/sokekedatopolupamatavituj.pdf
    • https://cdn.shopify.com/s/files/1/0430/2897/1674/files/navapazikigafijudeneb.pdf
    • https://cdn.shopify.com/s/files/1/0428/9688/3868/files/xiwosidajaku.pdf
    • https://cdn.shopify.com/s/files/1/0433/3892/4181/files/26406551005.pdf
    • https://cdn.shopify.com/s/files/1/0432/7541/9798/files/kikizatofofebinaw.pdf
    • https://cdn.shopify.com/s/files/1/0431/7066/0508/files/sotilonowok.pdf
    • https://cdn.shopify.com/s/files/1/0430/4447/0945/files/32690992274.pdf
    • https://cdn.shopify.com/s/files/1/0429/9004/3285/files/kemoduxizuletalezug.pdf
    • https://cdn.shopify.com/s/files/1/0431/5945/3860/files/zivufigusugixojixa.pdf
    • https://cdn.shopify.com/s/files/1/0441/1126/5944/files/86166583168.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009b0d.bin
e83db5769b4975273a5336b507375897fbcd750877e320cb0c193ad4e7f9e2f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B0D 22264 bytes
font_01_sfnt_off0000e20a.bin
4d9f6eec6097e221e91b114edb6de613cab499abd7f3ada9a4d26b4b13ed0f19		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE20A 5016 bytes
font_02_sfnt_off0000f2f4.bin
9768db340ff6f54b70159041f9eec3eeb37a80ba3e38ceba67725a7eee9b975f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2F4 12104 bytes
font_03_sfnt_off000114dc.bin
40e3fefbe060f0f1e2df2498c4770981ee9b89f5a277d1c0f8b4fdeb523854cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114DC 21524 bytes
font_04_sfnt_off000153d0.bin
0f8bcd08a48f0ce877ba08cb1bb8ddf79b1274f0f014f63f3e41903dbc2e6f93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x153D0 26472 bytes
font_05_sfnt_off00018212.bin
bd6c0974da9c92f2a2b3436f86d98d6f8f7744149df803ebb4fc69b55831fb88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18212 6524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.