Malicious PDF — malware analysis report

Static analysis result for SHA-256 867d5fbb9d52b444…

MALICIOUS

PDF

35.6 KB Created: 2020-08-29 22:39:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bdc99766b7d3ade1b528b78a536ecac8 SHA-1: 2c0c0fc8f124d47443b42f5f14af1ba1b6438696 SHA-256: 867d5fbb9d52b44474148db05b932b35714898e6dd2e656c1454e645a3ebef3f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm with multiple embedded URLs, including a critical redirector link to 'ttraff.cc'. This suggests a phishing or malicious redirection attempt. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains references to the malicious URL and other PDF files, reinforcing the link farm tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=eve+online+r
    • https://cdn.shopify.com/s/files/1/0432/7538/7043/files/kanekejuxezedovuzarevo.pdf
    • https://cdn.shopify.com/s/files/1/0431/0256/8599/files/l_loge_du_carburateur.pdf
    • https://cdn.shopify.com/s/files/1/0431/8127/7352/files/47972512764.pdf
    • https://cdn.shopify.com/s/files/1/0429/7847/6195/files/blue_eyes_with_brown_specks.pdf
    • https://static.usrfiles.com/ugd/856cea_43de77be1ae74d8aa7924525ef105b80.pdf
    • https://static.usrfiles.com/ugd/0511f5_a6c2d60ec3654da78154f05c5dc950fe.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a34f25398c34df9b1a99cc4e235aec6.pdf
    • https://cdn.shopify.com/s/files/1/0430/6262/4405/files/dovujajopelebudasewawus.pdf
    • https://cdn.shopify.com/s/files/1/0430/9693/2505/files/wenebizobopuxotuferifetef.pdf
    • https://cdn.shopify.com/s/files/1/0431/4667/4330/files/etina_pro_cizince_b1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005003.bin
a6d0fae4b068553e299597eab70e14eefa313faf71f01e59b11024199422bbe8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5003 4308 bytes
font_01_sfnt_off00005ebb.bin
8dfd32132b157b2681b05bc0c17f54daa2d3e9604a635b7ec5bd147f9d606c79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EBB 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.