Malicious PDF — malware analysis report

Static analysis result for SHA-256 76f4956e8e5cf35f…

MALICIOUS

PDF

41.8 KB Created: 2020-09-08 11:44:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01cdf697272fa3077858e10a86ee7fba SHA-1: fca9e50757f7704594e11b7fd3b0886542410387 SHA-256: 76f4956e8e5cf35f0797a514c4aab4716b72ca5466f46d53d212dcf8efcc755a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=between+the+sheets+album+zip'. This URL is embedded within the document body, suggesting an attempt to trick the user into visiting a malicious site. The presence of a large number of external PDF links, many of which are benign Shopify URLs, indicates a potential SEO poisoning or link farm tactic to obscure the malicious redirector. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=between+the+sheets+album+zip
    • https://cdn.shopify.com/s/files/1/0430/8392/3609/files/types_of_market_segmentation_with_examples.pdf
    • https://cdn.shopify.com/s/files/1/0431/8982/9800/files/fuzonupokuwezisuxasis.pdf
    • https://cdn.shopify.com/s/files/1/0461/7820/5850/files/balanced_body_reformer_uk.pdf
    • https://cdn.shopify.com/s/files/1/0460/7973/8020/files/9613166682.pdf
    • https://cdn.shopify.com/s/files/1/0430/7425/7057/files/45048193822.pdf
    • https://cdn.shopify.com/s/files/1/0434/4836/9319/files/relamabupe.pdf
    • https://static.usrfiles.com/ugd/868b90_2afd44fca3964d9c9c7dd2605bfa2252.pdf
    • https://static.usrfiles.com/ugd/c5d40f_aa41b307bf4441b4b7ffff9f63a6bbfc.pdf
    • https://static.usrfiles.com/ugd/76156b_ade3e81915c7443e88dac3a29bd1ab2a.pdf
    • https://static.usrfiles.com/ugd/b8c837_7c5a5f1c004b43e59988ca5e22f8c7ce.pdf
    • https://static.usrfiles.com/ugd/76de1a_98bb8f76f8444a5b912df15d613ddcd7.pdf
    • https://static.usrfiles.com/ugd/d162e3_96d8ab3c029f4075ab1682c0163dceef.pdf
    • https://static.usrfiles.com/ugd/19ce5d_cd451444d7e84a16a12fadfed31bd072.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005701.bin
49f103c6844000005192b19309e2a399a9b4b8cadd956b6f15c7a8cf32417faa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5701 5292 bytes
font_01_sfnt_off000068f6.bin
d65f3a3ec9cdb9589d97108c6afbbf0687d1f02d6cb855898f3f3eb6a44565df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68F6 16104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.