Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e9cfba9cdb31f90…

MALICIOUS

PDF

45.9 KB Created: 2020-09-08 18:06:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b7dcae87569ba1f2bef8f16a25d6727 SHA-1: 5ac8b54927014f308b276bd795f4dd25eca12e51 SHA-256: 8e9cfba9cdb31f90b630feea4ef43dc67f7fdad04d9562a1850310f99a9c6cce
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a malicious redirector link disguised as a Cydia jailbreak update for iOS 13. The ML classifier strongly indicates maliciousness, and the PDF structure includes a mass of external links, many pointing to the same domain, suggesting a link farm for SEO manipulation or traffic redirection. The primary malicious IOC is the ttraff.link URL, which likely leads to further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=cydia++no+jailbreak+ios+13
    • https://static.usrfiles.com/ugd/b8c837_a8de1a510741490685f51a983956bd75.pdf
    • https://static.usrfiles.com/ugd/de65f7_276f5d07a62148f395da80a75b21a776.pdf
    • https://static.usrfiles.com/ugd/e73fea_3d5f56ec077b48adbe409975d45b24f2.pdf
    • https://static.usrfiles.com/ugd/576447_a0edbf597140485f8ef178f728634da1.pdf
    • https://static.usrfiles.com/ugd/7d21c0_5f17d110003948aebcd7558a816ea7f9.pdf
    • https://static.usrfiles.com/ugd/e42ee3_0842cd4eb5f14831b7bfe3547e99ff63.pdf
    • https://static.usrfiles.com/ugd/6cfc61_eaf1d05a40bd4b0a973439124237d697.pdf
    • https://static.usrfiles.com/ugd/d3758e_05f72654dca74f9a9b5eaac68d3c8f8c.pdf
    • https://cdn.shopify.com/s/files/1/0434/7248/6564/files/73138055257.pdf
    • https://cdn.shopify.com/s/files/1/0433/4583/8248/files/49532001591.pdf
    • https://static.usrfiles.com/ugd/99a8f2_1c31912c6d894a4c93a456cd0108de51.pdf
    • https://static.usrfiles.com/ugd/eb4c03_ebc211b303bf4805b36204eebb3f0779.pdf
    • https://static.usrfiles.com/ugd/89c6ad_84665f3179ef4af9b4fcca03cd07b3d0.pdf
    • https://static.usrfiles.com/ugd/0582e0_7ed7e4ad44794bcbb7336bf7b8c3c5c6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007525.bin
a97cd8aa70dd73c0c665ec3bac32ce98165efa4ba304a4485726b7ff885f7a59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7525 5324 bytes
font_01_sfnt_off0000875b.bin
b64078ae6e78e90f803fa5cc215a36b9c49a0de51e2e2d6575ef48f4f1f53c5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x875B 10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.