Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a8415a2d505b5e7…

MALICIOUS

PDF

53.4 KB Created: 2020-09-08 15:43:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03d425bf0fb22738d7aee785fa447ac9 SHA-1: 0a309a6a5d9de9e41ca98ced986530b9c5af5269 SHA-256: 8a8415a2d505b5e7ae029603370758d0f98cc716da6b082116bf3afef04714b6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is also listed as an IOC. The document body, though heavily obfuscated, contains the string 'yz250f jetting guide' and the malicious URL, suggesting a lure. The presence of numerous PDF links, many hosted on Shopify, indicates a link farm designed to obscure the final destination. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=yz250f+jetting+guide
    • https://cdn.shopify.com/s/files/1/0435/5633/9871/files/situralisukufofaxofimem.pdf
    • https://cdn.shopify.com/s/files/1/0428/9714/6019/files/zojudiwijijaxu.pdf
    • https://cdn.shopify.com/s/files/1/0440/4497/6278/files/gezokagunojanorisesug.pdf
    • https://cdn.shopify.com/s/files/1/0438/2218/6653/files/dictionnaire_orthophonie.pdf
    • https://cdn.shopify.com/s/files/1/0427/7701/8524/files/83499827313.pdf
    • https://static.usrfiles.com/ugd/21e6f2_9a5cda40b87a4f5e89a83dbea063dde3.pdf
    • https://static.usrfiles.com/ugd/6e13d9_aaad82a1a7624bf0b8255ae6fd23308c.pdf
    • https://static.usrfiles.com/ugd/df73ab_bbd1b0a762bc481c8cb2bd666f681f9e.pdf
    • https://static.usrfiles.com/ugd/a31856_c47d6f717fa2454bb24bea183cd9edd9.pdf
    • https://cdn.shopify.com/s/files/1/0432/5359/6310/files/84522812953.pdf
    • https://cdn.shopify.com/s/files/1/0437/8460/1761/files/spectro_analytical_techniques.pdf
    • https://cdn.shopify.com/s/files/1/0435/3314/0127/files/kokegajin.pdf
    • https://static.usrfiles.com/ugd/28b3f7_3a72e48419a64a02a0e3b101b5c463f1.pdf
    • https://static.usrfiles.com/ugd/d54300_95e4e6b6647c494bbf8b89fc1d9c3fb4.pdf
    • https://static.usrfiles.com/ugd/b6edda_538796f287d94f6693b5e61d267d7df5.pdf
    • https://static.usrfiles.com/ugd/cac9e4_fd8f6fd49f9d4052990789d38a87d14d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008c79.bin
0c31658fbbc7d6745bffd969c6ad846cc3f4be0ffb2ce81ac6dc66d456199b0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C79 5044 bytes
font_01_sfnt_off00009dda.bin
d91e70affaf7ebe3354138b8b97d7a7e20c965b2545d0b30714d2bec8e3e199a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DDA 13708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.