Malicious PDF — malware analysis report

Static analysis result for SHA-256 90595dad1d2f1ebb…

MALICIOUS

PDF

53.9 KB Created: 2020-08-03 03:34:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae6a71d49f263a0631e8d1740a0d065a SHA-1: de036b7270aa4880d311d42c93aa6fae84bb31c3 SHA-256: 90595dad1d2f1ebb88b25ceab241b6f713a2619105249a014ad55886490e7536
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, many pointing to Shopify-hosted PDFs, indicative of a link farm or SEO manipulation. One critical heuristic identified a link to a known malicious redirector at 'ttraff.com'. The ML classifier also flagged this PDF with high confidence. No scripts were extracted, but the presence of the malicious redirector and the link farm strategy suggests an attempt to lure users to malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=the+carter+4
    • http://files.selectscotchwhisky.com.au/uploads/1/3/1/0/131070820/witato-puriw.pdf
    • http://files.nicolerim.com/uploads/1/3/0/7/130776847/4761e.pdf
    • http://files.cshwhalingmuseum.org/uploads/1/3/0/8/130874588/1682034.pdf
    • https://cdn.shopify.com/s/files/1/0432/7417/4624/files/free_shooting_targets.pdf
    • https://cdn.shopify.com/s/files/1/0432/3137/9618/files/kasiw.pdf
    • https://cdn.shopify.com/s/files/1/0428/7699/3695/files/15099384127.pdf
    • https://cdn.shopify.com/s/files/1/0438/8909/8907/files/wurabikidozef.pdf
    • https://cdn.shopify.com/s/files/1/0434/0537/7701/files/28077122973.pdf
    • https://cdn.shopify.com/s/files/1/0437/9105/7058/files/24313519323.pdf
    • https://cdn.shopify.com/s/files/1/0433/6317/2502/files/jaxibilaxeveponefodapako.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/46824776831.pdf
    • https://cdn.shopify.com/s/files/1/0432/8452/9310/files/kijedejogobetedur.pdf
    • https://cdn.shopify.com/s/files/1/0430/0334/7097/files/85590376226.pdf
    • https://cdn.shopify.com/s/files/1/0428/6231/3631/files/63354947166.pdf
    • https://cdn.shopify.com/s/files/1/0429/6278/0311/files/zoziwoxosejetofezepefup.pdf
    • https://cdn.shopify.com/s/files/1/0440/1322/4094/files/73069966179.pdf
    • https://cdn.shopify.com/s/files/1/0430/4922/2298/files/kerorogimuxupided.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000970f.bin
7fd3734f3ee9781aaa499b234e6bbe3afd1b30b33bf249d5d39eec56320c5690		 pdf-font-stream PDF embedded font (sfnt) at offset 0x970F 4712 bytes
font_01_sfnt_off0000a70f.bin
b40e985d4e32d7607ed0dfcb80e4862930e730152ee29f15947ac178d129de40		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA70F 10668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.