Malicious PDF — malware analysis report

Static analysis result for SHA-256 8117829212f9c356…

MALICIOUS

PDF

64.5 KB Created: 2020-09-18 01:28:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 012eb0b286fe6b028f2c75f7f06e9d56 SHA-1: be5a7320d48fc655b305b427862d80cdb47f00a2 SHA-256: 8117829212f9c356d057d1e6d726cd959d36bef38496cdc3cbebd41d03430b10
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link to `ttraff.com`, identified as a malicious redirector. The document body, though partially garbled, appears to be a lure related to assembly instructions, aiming to trick the user into clicking the malicious link. The presence of a large number of external PDF links, many pointing to benign Shopify URLs, suggests a potential SEO poisoning or link farm tactic to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=sportcraft+basketball+arcade+hoops+assembly+instructions
    • http://gosizesu.clintlunde.com/uploads/1/3/0/9/130970003/fijogisoxuz.pdf
    • http://rasifox.hamptonplaceclt.com/uploads/1/3/1/8/131857204/4d1a29.pdf
    • http://femizoda.duarteband.com/uploads/1/3/1/4/131454065/rakevijelapof_bamugabugin_pitukixoti_motenatuxejif.pdf
    • http://files.aera20.net/uploads/1/3/0/9/130969204/c4317d.pdf
    • http://files.firetrailers.com/uploads/1/3/1/1/131164118/b6091.pdf
    • https://cdn.shopify.com/s/files/1/0439/3769/3851/files/emerson_900_watt_microwave_oven.pdf
    • https://cdn.shopify.com/s/files/1/0432/5359/6310/files/93260445258.pdf
    • https://cdn.shopify.com/s/files/1/0480/4693/2132/files/best_phone_call_answers.pdf
    • https://0d7e4131-4b6b-4bc4-9df1-c4f7c1579c51.filesusr.com/ugd/6f58fb_641bc252fe6649938d2d26ae30e81f38.pdf?index=true
    • https://133f22f9-6cd4-450d-9066-c84243ee535f.filesusr.com/ugd/938c70_4914e5b1c428406994f867f215ef3352.pdf?index=true
    • https://955f742f-f901-4e6c-8b4b-bbe09b6b2627.filesusr.com/ugd/0df15e_5905c18f9dbe49f9821c3a1be55d91a2.pdf?index=true
    • https://4ccc0a30-0e3c-4974-b754-f5ae032e470f.filesusr.com/ugd/3bf302_bfe1dee0841b401f8abd03a4d72204ac.pdf?index=true
    • https://609bb223-f075-457b-bdae-c881ab12b8bf.filesusr.com/ugd/d2cc1f_8435671658354aa3a937939f82a3e127.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b7d2.bin
0c9b67006cd783d2bc5f9939f822ad6be4c7dbb4c9acfeccb63079cd478c6360		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB7D2 5804 bytes
font_01_sfnt_off0000cb72.bin
6a01a8022dd370fe4f9ace974ec6f8d84ebe7fda1baff9fb995e3b0bd34f9036		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB72 12416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.