Malicious PDF — malware analysis report

Static analysis result for SHA-256 84cff95aa101ee97…

MALICIOUS

PDF

46.8 KB Created: 2020-09-01 22:45:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a989dbe1fbcc908336625db4accd4d7a SHA-1: dfb4fdf9287363b567313dda1c012acbf4fc19d2 SHA-256: 84cff95aa101ee9799163321c05d5c8e083fce2f46e1d6a8e358b6707f9916df
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including one to a known malicious redirector (ttraff.me). The document body, though heavily obfuscated, contains text referencing a 'yearly calendar template' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of a PDF link farm heuristic further supports the malicious intent of distributing links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=yearly+calendar+template+by+vertex42.+com
    • https://static.usrfiles.com/ugd/b8c837_f53f307fa0df48128f1fe8f7a253689a.pdf
    • https://static.usrfiles.com/ugd/217d68_14ed1aa7ac9f4e64937a673b90bab772.pdf
    • https://static.usrfiles.com/ugd/0a052f_e6e211ed29f445b28170041a5226edca.pdf
    • https://cdn.shopify.com/s/files/1/0430/3175/6957/files/mojinivekuzogowit.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dutevitijenunolekegek.pdf
    • https://static.usrfiles.com/ugd/41a0b6_7a43394027af4683861bca0296fce8b5.pdf
    • https://static.usrfiles.com/ugd/724bd4_c5d9a1c8723c4d60a3c1f4a9ac221e82.pdf
    • https://cdn.shopify.com/s/files/1/0428/7938/5756/files/star_wars_battle_front_2_ps2_cheats.pdf
    • https://cdn.shopify.com/s/files/1/0429/7005/4805/files/raboxexovogesenijutekom.pdf
    • https://cdn.shopify.com/s/files/1/0437/7470/5815/files/judijulato.pdf
    • https://cdn.shopify.com/s/files/1/0430/5806/9655/files/39101462504.pdf
    • https://cdn.shopify.com/s/files/1/0431/6754/7546/files/adobe_acrobat_dc_cannot_edit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065fa.bin
539c9be5eea3b619977d53326b889665e22f292d4cd63b66362ba57a7520ddc7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65FA 5624 bytes
font_01_sfnt_off00007918.bin
ea84804bf4878692b673d2e9c8b2a58952c6d9a641eb53e7aebe59995cf1607d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7918 9000 bytes
font_02_sfnt_off00008b37.bin
8eb8ea8f52dc996e40cfdf5f0da5a81807cad988f47f917265dab0366ba7901c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B37 10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.