Malicious PDF — malware analysis report

Static analysis result for SHA-256 83f77bd88beba6eb…

MALICIOUS

PDF

46.7 KB Created: 2020-08-24 12:47:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 072f4827736a0f202a14a9b67ffb91fa SHA-1: c04d6a87b37159f2a32f8a8eeeaa80e15e00baad SHA-256: 83f77bd88beba6ebb678a73b0b67a0c2afaf5f9311488b2df43431eb3761c6d8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file was flagged by a critical heuristic for linking to known malicious redirector infrastructure, specifically 'ttraff.com'. The document body contains numerous embedded links, many of which are hosted on Shopify domains but ultimately lead to the 'ttraff.com' redirector. This suggests a phishing or scam attempt where the attacker uses a link farm to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=browserling.+com+whatsapp++in+jio+phone
    • http://files.originalsexyslave.com/uploads/1/3/0/9/130969004/ca2abe.pdf
    • http://kobob.cooksontributeb29.com/uploads/1/3/1/3/131398272/kogifaxota.pdf
    • http://files.kennedypickering.com/uploads/1/3/0/7/130776206/3524856.pdf
    • https://cdn.shopify.com/s/files/1/0437/6346/6391/files/boxosewepenawasuvupirek.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0241/files/bibowitegojajaj.pdf
    • https://cdn.shopify.com/s/files/1/0433/8522/5372/files/murakigodalu.pdf
    • https://cdn.shopify.com/s/files/1/0429/9004/3285/files/ruzasotevuruvivoxojife.pdf
    • https://cdn.shopify.com/s/files/1/0432/7358/4793/files/90584258566.pdf
    • https://cdn.shopify.com/s/files/1/0437/5832/1821/files/lukorusigap.pdf
    • https://cdn.shopify.com/s/files/1/0438/2759/3376/files/dart_tutorial_point.pdf
    • https://cdn.shopify.com/s/files/1/0428/0814/8127/files/58917892257.pdf
    • https://cdn.shopify.com/s/files/1/0432/1764/9819/files/ruduzaxuxasogex.pdf
    • https://cdn.shopify.com/s/files/1/0437/7142/9016/files/panalaxosoziwinetufuf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076e1.bin
e687c2a3b48f3ec3c294ea8f94d31905e9d7b8caf93b377537fb1acef0cc384b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76E1 5596 bytes
font_01_sfnt_off000089d4.bin
4ebc206d9582852a42ea1144c965a763b4e999a457d5bb5478e651de30929019		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89D4 10612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.