Malicious PDF — malware analysis report

Static analysis result for SHA-256 853e4ed7eb39e91e…

MALICIOUS

PDF

43.8 KB Created: 2020-09-01 02:09:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9d5edab5c5d3542fab1f456146d54eae SHA-1: 516de4738ed8dc5672e8c5bf15bff523971b5dfd SHA-256: 853e4ed7eb39e91e112186f4dd5de695220f9824b4569bbb185b125bfbb09c30
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm of 15 external PDF links, many hosted on Shopify, designed to appear legitimate. However, one of the primary links directs to a known malicious redirector at 'ttraff.com'. The document body contains garbled text but includes the target URL, suggesting a lure to a malicious site disguised as a technical document. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=sheet+metal+flatness+spec
    • https://cdn.shopify.com/s/files/1/0438/4070/0578/files/gumajetur.pdf
    • https://cdn.shopify.com/s/files/1/0437/6884/0341/files/52840970566.pdf
    • https://cdn.shopify.com/s/files/1/0465/0087/2344/files/lg_g7_android_9_new_features.pdf
    • https://cdn.shopify.com/s/files/1/0434/3853/8904/files/resij.pdf
    • https://cdn.shopify.com/s/files/1/0438/3732/5462/files/kopuxekem.pdf
    • https://cdn.shopify.com/s/files/1/0438/2598/7734/files/84752976205.pdf
    • https://cdn.shopify.com/s/files/1/0433/4659/1895/files/demigob.pdf
    • https://cdn.shopify.com/s/files/1/0441/1283/8808/files/candy_crush_saga_apk_mod_hack.pdf
    • https://cdn.shopify.com/s/files/1/0430/0737/7561/files/70111641189.pdf
    • https://cdn.shopify.com/s/files/1/0431/6971/0241/files/99255675313.pdf
    • https://cdn.shopify.com/s/files/1/0430/8353/0394/files/naxafozetabezupur.pdf
    • https://cdn.shopify.com/s/files/1/0432/1758/4285/files/loom_bands_instructions_step_by_step.pdf
    • https://cdn.shopify.com/s/files/1/0436/9727/5033/files/regewikiz.pdf
    • https://cdn.shopify.com/s/files/1/0438/2598/7734/files/42625699103.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/ruwisosipopiwusanitilowaz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d44.bin
8dabb8c08cc9334db9593a08b10612ea603975eb2c1ed3b947672431d37f783c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D44 5264 bytes
font_01_sfnt_off00007f0b.bin
55e97196fdc295bdf41a7e65535adce3fb31ff56733d0b2a3cb31f0838c0a963		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F0B 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.