Malicious PDF — malware analysis report

Static analysis result for SHA-256 90c78ec8ad23f70f…

MALICIOUS

PDF

82.2 KB Created: 2020-09-18 01:03:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 97c7a7c2950fa47cff595254d2a0ea40 SHA-1: eefab44083b3c5c23796f9f7dbbefca779e0ac49 SHA-256: 90c78ec8ad23f70ff0c17f192b332b605d36ed5ffe077d8885df4678546b00cc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/wix?keyword=cape+fear+elementary+staff'. Additionally, it exhibits characteristics of a PDF SEO link farm, with numerous embedded links, many hosted on cdn.shopify.com. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the same malicious URL, suggesting the primary intent is to redirect the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=cape+fear+elementary+staff
    • https://cdn.shopify.com/s/files/1/0431/5480/0796/files/vadiselosuxidujowejep.pdf
    • https://cdn.shopify.com/s/files/1/0434/2480/9122/files/game_pokemon_terbaik_untuk_android.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/38608120386.pdf
    • https://cdn.shopify.com/s/files/1/0431/2832/4257/files/23726571631.pdf
    • https://cdn.shopify.com/s/files/1/0429/5399/8487/files/anualidades_diferidas_ejercicios_resueltos.pdf
    • https://cdn.shopify.com/s/files/1/0440/7309/1222/files/tenariwerutunuvep.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gabagijujusudizal.pdf
    • https://cdn.shopify.com/s/files/1/0439/9664/3486/files/senun.pdf
    • https://cdn.shopify.com/s/files/1/0430/5358/0437/files/14034041438.pdf
    • https://cdn.shopify.com/s/files/1/0436/0775/2866/files/fabula_definicion_y_caracteristicas.pdf
    • https://cdn.shopify.com/s/files/1/0437/5497/9477/files/dutasitewox.pdf
    • https://cdn.shopify.com/s/files/1/0433/9453/1484/files/9156179738.pdf
    • https://cdn.shopify.com/s/files/1/0438/0118/2370/files/gafiramemapeza.pdf
    • https://cdn.shopify.com/s/files/1/0448/0168/7714/files/adblock_pour_google_chrome_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc06.bin
a51d303e535184f16315c7ec3c705d2cff1a9f02ba8b17d597c82dd2931f71b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC06 5052 bytes
font_01_sfnt_off00010d2d.bin
2359f5ed1f07d7dcce17b044d9ca5056187b38c654b0b31416639fa91f1cfc78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D2D 14952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.