Malicious PDF — malware analysis report

Static analysis result for SHA-256 931a1842369c642f…

MALICIOUS

PDF

35.1 KB Created: 2020-09-19 21:33:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb6bfc5dc920040a81f3d83fcafdce61 SHA-1: b9112d59b13ae4c17607bc69f64d99707361b859 SHA-256: 931a1842369c642f8ad73301cf2b11397ee63e20274b1419bc0316a87d5d7eb2
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a malicious redirector link to 'https://ttraff.me/wix?keyword=lesson+5+vocabulary+answers'. The document body, though heavily obfuscated, also contains this URL. This suggests the primary purpose of the PDF is to lure the user to this malicious site, likely for a phishing attack or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=lesson+5+vocabulary+answers
    • https://cdn.shopify.com/s/files/1/0428/6706/4998/files/savozavesopopupupigajezi.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2960/files/vuwafilukoguludosun.pdf
    • https://cdn.shopify.com/s/files/1/0432/8734/7360/files/24049732110.pdf
    • https://cdn.shopify.com/s/files/1/0437/6428/5601/files/ritotozesofidixanuwefuxo.pdf
    • https://6f42be60-0bf2-4e2b-92d1-03612ad376f0.filesusr.com/ugd/3826db_09bdc27206404e289dbab687727a9237.pdf?index=true
    • https://9bc5322c-f0c8-4109-876e-f502443b6012.filesusr.com/ugd/0286dd_e5d3aafa1b644b3093b23b7b0230d3e0.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/5511/8501/files/8060853187.pdf
    • https://cdn.shopify.com/s/files/1/0438/8480/6299/files/lowawofagowejosaso.pdf
    • https://cdn.shopify.com/s/files/1/0439/5683/0366/files/xedesopavisiluwufapix.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046bf.bin
f6e123d423aa65850a3861d5d40740b10624c489ec9438692ef629390576f279		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46BF 5252 bytes
font_01_sfnt_off000058d1.bin
939066eb3911d122cb4a05d98f500014a00a9f6ab4e306d96b35ab03e9c3c2a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58D1 12364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.