Malicious PDF — malware analysis report

Static analysis result for SHA-256 5794a40292e46111…

MALICIOUS

PDF

31.9 KB Created: 2020-08-31 06:02:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9bc85e3ca83d5b23b253c0b018dcaf19 SHA-1: 85db5971370c35d79fba3ac554a7deaa627969d5 SHA-256: 5794a40292e46111cdb0ab99fbfff17dd984ee706596f61a20e0ed51ff9950e5
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link to 'ttraff.com'. The document body, though heavily obfuscated, appears to contain the same URL. This suggests the primary purpose of the document is to lure the user to this malicious site, likely for a phishing or scam operation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=piensa+y+crece+rico+napoleon+hill+pd
    • https://cdn.shopify.com/s/files/1/0439/2468/4968/files/machine_learning_for_dummies_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/90675932679.pdf
    • https://cdn.shopify.com/s/files/1/0436/5864/1573/files/24084704527.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/5552762143.pdf
    • https://static.usrfiles.com/ugd/0d2908_0287f9f40b3d4cd187572543fce72d17.pdf
    • https://static.usrfiles.com/ugd/b8c837_8a1051f93a97403fbf82fefb01b3a263.pdf
    • https://static.usrfiles.com/ugd/c7a620_1e6b87c2296947228521a938e39a671b.pdf
    • https://static.usrfiles.com/ugd/837d34_9ce29b38b6b64fc08e99af97c85f58e9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003eea.bin
0003b5fce80bd87751a0b0a3c0c346da24c73747d3b5f8f70fc323ebb8d9bab4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EEA 5264 bytes
font_01_sfnt_off000050ba.bin
8e0c53aaaa6d541f3c2428d472785b70bf5c209562e5aa93579770df9f73841b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50BA 10164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.