Malicious PDF — malware analysis report

Static analysis result for SHA-256 77eb860c21ac41a7…

MALICIOUS

PDF

63.0 KB Created: 2020-09-18 06:41:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a41337a3009839778da1208ae307e727 SHA-1: a61b23164b68bae8f5b514c69542c8695faa0ad8 SHA-256: 77eb860c21ac41a7a2f02e556e26b76f53b54884e64bc0eee7dc9c47ffd8342c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, directing users to 'ttraff.me'. The document body, though heavily obfuscated, contains a URL that matches the redirector. This suggests the PDF is designed to redirect users to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=pltw+engineering+activity+5.4+calculating+properties+of+solids+answers
    • https://cdn.shopify.com/s/files/1/0438/0780/1501/files/85649487417.pdf
    • https://cdn.shopify.com/s/files/1/0439/1347/8312/files/fogavosamozuro.pdf
    • https://cdn.shopify.com/s/files/1/0434/5656/1318/files/sigefagesuwufak.pdf
    • https://cdn.shopify.com/s/files/1/0435/7586/9599/files/xukamaluguludi.pdf
    • https://cdn.shopify.com/s/files/1/0432/4111/1707/files/foniwuxozubategezik.pdf
    • https://cdn.shopify.com/s/files/1/0430/4293/0842/files/74583956345.pdf
    • https://241a074d-3d48-4ad2-8297-00a5cefccda5.filesusr.com/ugd/8c7d07_a6069cef7ed84ac48a95b15ddd5e2939.pdf?index=true
    • https://a653aff5-7961-4491-bb7f-d44cfa1ee2d5.filesusr.com/ugd/1a1092_a90bb64718dc4e09a40dcea279db50f8.pdf?index=true
    • https://6b496ae5-dd97-4e59-aea2-eaac01602c1e.filesusr.com/ugd/70094d_64b7d852ef134c58adcb600a7747ecfc.pdf?index=true
    • https://92f85fa5-14e9-499d-93fd-6f97f249a21b.filesusr.com/ugd/60e703_627a775800744900971ba04e8f284a67.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a235.bin
928109d5e40aacfea525f74364862bbc5c51345a05a85a641892883ec12a7fa5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA235 5704 bytes
font_01_sfnt_off0000b5c9.bin
71e81bbab80fef8b5f46f9aabddb8eedc6bd049e99d762d478d91d8fe969b6b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB5C9 13040 bytes
font_02_sfnt_off0000e058.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE058 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.