Malicious PDF — malware analysis report

Static analysis result for SHA-256 55cbf8c6b99cc4d0…

MALICIOUS

PDF

152.6 KB Created: 2020-09-16 14:33:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03b0ba77f07c490690392f437ffae0d6 SHA-1: 980b72a942fe195ee934b199c11649b2d3ea94f6 SHA-256: 55cbf8c6b99cc4d0c22edee1fdb307873298d642d96ed412cabbcad9e207c06e
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link. The embedded URL 'https://ttraff.link/wix?keyword=ultra+b+gba+game+apk' is directly associated with this malicious activity. The document body, though heavily obfuscated, contains this URL, suggesting it's the primary lure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=ultra+b+gba+game+apk
    • https://cdn.shopify.com/s/files/1/0428/8937/9993/files/99449469617.pdf
    • https://cdn.shopify.com/s/files/1/0434/2451/4200/files/1626844987.pdf
    • https://cdn.shopify.com/s/files/1/0429/7788/6367/files/furmark_latest_version.pdf
    • https://cdn.shopify.com/s/files/1/0432/3174/0071/files/ford_owners_manual.pdf
    • https://560b0f8b-4a6e-40ea-89c3-9de942e3d5cb.filesusr.com/ugd/3ed902_7c06b90dcadc4259b2db58b878bbdc1b.pdf?index=true
    • https://046271e0-5544-4b74-9052-808681b28479.filesusr.com/ugd/2994dd_d82977ef085c4c598a4996df0858ba6f.pdf?index=true
    • https://c76fa012-3d87-4048-a688-06688eecf015.filesusr.com/ugd/dcc11b_353147da7977440dab7d855f685af839.pdf?index=true
    • https://5e1f0ed5-9fab-4342-a207-a6cfaf2cbf1a.filesusr.com/ugd/b90ba1_e98115fb821c44b49d06be562f77de56.pdf?index=true
    • https://d63270ad-0122-408a-907a-fb41ca4bae62.filesusr.com/ugd/c5d40f_8d613205b5d8411080629113fe485273.pdf?index=true
    • https://16cb1bee-874e-46de-a3ff-5b27afc70349.filesusr.com/ugd/8bf3fc_153a8dc514b14e16985921a2e86c1c7f.pdf?index=true
    • https://ae744221-7297-47b4-993e-ed89eabdae4b.filesusr.com/ugd/c722c2_5357f69a482744cca321fdc24d90dcf7.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0432/1063/7476/files/vivotipamabejesipem.pdf
    • https://cdn.shopify.com/s/files/1/0427/4746/1788/files/xxx_password_hackers.pdf
    • https://cdn.shopify.com/s/files/1/0454/7723/2790/files/business_model_generation_book.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00020f09.bin
6a03021c27a3fe4e1b4b81cd27df14823ac2100a8e339435b9ad640fc6b97b4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20F09 5156 bytes
font_01_sfnt_off00022083.bin
b459da22f467f03fc8dc63ae2a00c6e06e6b4f4c93882b6159b0a347bb42b378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22083 17480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.