Malicious PDF — malware analysis report

Static analysis result for SHA-256 553ece875e3fb17c…

MALICIOUS

PDF

41.0 KB Created: 2020-08-23 19:44:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b916e0b5209ecab34f945cadc62b6ff5 SHA-1: 4652b12f2e966997a25e2e2527d4530a783009e8 SHA-256: 553ece875e3fb17c8b4bf70b0788f1f070a8cbf0376bf062694e9dc330f6fc89
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. This URL is presented within the document body, disguised as a 'free cognitive ability test pdf'. The document also exhibits characteristics of a link farm, with numerous embedded URLs, many of which are hosted on shopify.com but also include other suspicious domains. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is designed for malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=free+cognitive+ability+test+pdf
    • http://files.lifestylepoolservice.com/uploads/1/3/1/4/131437680/4e4a0d055.pdf
    • http://sidilujiv.miracleofyourlife.com/uploads/1/3/1/4/131437421/simedij_nelozovudi_rozodetarolenaw.pdf
    • http://jirapoke.friendsofmiddleboroughcemeteries.org/uploads/1/3/2/6/132695615/c666f60bcfd.pdf
    • https://cdn.shopify.com/s/files/1/0432/9416/3109/files/9055985599.pdf
    • https://cdn.shopify.com/s/files/1/0433/6317/2502/files/goljan_pathology.pdf
    • https://cdn.shopify.com/s/files/1/0434/2736/5031/files/answer_key_hssc_clerk_23_september_2020.pdf
    • https://cdn.shopify.com/s/files/1/0431/4585/5137/files/69822608538.pdf
    • https://cdn.shopify.com/s/files/1/0431/1823/1709/files/30576485264.pdf
    • https://cdn.shopify.com/s/files/1/0431/9277/8912/files/zuxelepasudi.pdf
    • https://cdn.shopify.com/s/files/1/0429/7474/0639/files/98894772357.pdf
    • https://cdn.shopify.com/s/files/1/0432/4478/1735/files/zulavuzesudowu.pdf
    • https://cdn.shopify.com/s/files/1/0428/8380/9439/files/gajamifufonefoji.pdf
    • https://cdn.shopify.com/s/files/1/0434/9198/3512/files/87137924437.pdf
    • https://medlineplus.gov/lab-tests/cognitive-testing/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060a3.bin
d239f57dd743656f68f252ea54cc360d7b3a4a7a0d1393f8dd546bf32ece177d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60A3 5580 bytes
font_01_sfnt_off000073b0.bin
c7fa23231e380124ac6e0213b819b2c5a62e4d29ea6fd1cd309d528981860832		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73B0 10568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.