Malicious PDF — malware analysis report

Static analysis result for SHA-256 58a0617391546fd2…

MALICIOUS

PDF

51.3 KB Created: 2020-08-30 07:00:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0490d29b9f6f6aca7ec91199b53aa404 SHA-1: 65703c637d60ec2c603cc41b14e6c535ec5a611b SHA-256: 58a0617391546fd25a3aa37c4e1681a13482bde6353cbbaf7a7e59f9f9490085
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=stock+watson+introduction+to+econome'. This URL is the primary indicator of malicious intent, likely serving as a lure for phishing or to redirect to further malicious content. The presence of a large number of external PDF links also suggests a link farm or SEO poisoning attempt to increase visibility of malicious content. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=stock+watson+introduction+to+econome
    • https://cdn.shopify.com/s/files/1/0432/1571/6516/files/formas_de_preparar_los_caracoles_de_mar.pdf
    • https://cdn.shopify.com/s/files/1/0438/8143/1195/files/wipudojefikazajatumapobi.pdf
    • https://cdn.shopify.com/s/files/1/0432/7201/1941/files/cookiezi_new_skin.pdf
    • https://static.usrfiles.com/ugd/b8c837_3f5de14617d5407e8f4c54e057b94155.pdf
    • https://static.usrfiles.com/ugd/b8c837_66c3b32e43b14a329f38f6bb90c72a2d.pdf
    • https://static.usrfiles.com/ugd/affb4a_765832e2b0274ec5b7a27d4205c47bc9.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_5f24c991c8e247d5881e4e0e0f7eda0f.pdf
    • https://static.usrfiles.com/ugd/b8c837_7094a8965da7427196345dcf8399505a.pdf
    • https://static.usrfiles.com/ugd/b8c837_46ffed815959402a96d0ae1f5e3eee2a.pdf
    • https://static.usrfiles.com/ugd/dd4472_07f8f0bad4004203afe5a7afca9c99f1.pdf
    • https://static.usrfiles.com/ugd/493135_b0120f99421447ada3bcce88ae6d8168.pdf
    • https://static.usrfiles.com/ugd/b8c837_99f972d9c7d9437c9f3b7063e3a3e615.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bcb.bin
19bcfe55015df803e6e67e04d3993e0fee1e4f931300f157746eb6a9cf4ba794		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BCB 5192 bytes
font_01_sfnt_off00008d59.bin
f6da5228a2fc15d5db1704c891f49ba2e03c9d91c846defbaeb8f0eee06df610		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D59 10796 bytes
font_02_sfnt_off0000b24b.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB24B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.