Malicious PDF — malware analysis report

Static analysis result for SHA-256 58cb3d3264b9a57d…

MALICIOUS

PDF

49.2 KB Created: 2020-08-30 22:30:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9cf5e82601730c1ee677974fc60b3d2d SHA-1: ce6016f64380ced38e60b49fabecb1efa2e6ea44 SHA-256: 58cb3d3264b9a57d30e555b3c58b845ef458c5ce206e55299a250af72ba0bd9d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged for containing a malicious redirector link pointing to 'ttraff.com'. This indicates a likely phishing or malware distribution attempt. The document body contains garbled text but also includes the same malicious URL and several benign Shopify URLs, suggesting a lure document. No scripts were extracted, but the presence of the malicious URL is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=thomas+era+s%25C3%25B3lo+ign+ps3+liberaci%25C3%25B3n
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/1369814796.pdf
    • https://cdn.shopify.com/s/files/1/0430/0832/7829/files/adb_install_apk_error_device_unauthorized.pdf
    • https://cdn.shopify.com/s/files/1/0431/0073/3596/files/33607409364.pdf
    • https://cdn.shopify.com/s/files/1/0432/2033/6807/files/65960870722.pdf
    • https://cdn.shopify.com/s/files/1/0428/2325/4179/files/ty_beanie_babies_collectors_guide.pdf
    • https://cdn.shopify.com/s/files/1/0432/1024/4260/files/83198944334.pdf
    • https://cdn.shopify.com/s/files/1/0432/3776/9383/files/trumpet_trio_sheet_music_free.pdf
    • https://static.usrfiles.com/ugd/b8c837_81dc683b970c48aca77afce710b8cbcd.pdf
    • https://static.usrfiles.com/ugd/b8c837_efab7b681d9a43dfa11e5b6b10af5f43.pdf
    • https://static.usrfiles.com/ugd/b8c837_92488ebecacd42a48bb8969f0ff89d03.pdf
    • https://static.usrfiles.com/ugd/b8c837_d0772ad1f9fc4f0c826e10c568da8e90.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000731b.bin
af3806b49600c1b19a08edccaf65112c5d5e672b7691cc4ae3f2bc0e088b41b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x731B 3892 bytes
font_01_sfnt_off000080ae.bin
9f8f0b3cff11d3c0eec24c768cee45d9103ef31bb1831994de4646ec23512b3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80AE 5736 bytes
font_02_sfnt_off000093c9.bin
c53b928f53d6615cdec34618cfd28932d7e64ee0269707beeff34877e4ec71cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93C9 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.