Malicious PDF — malware analysis report

Static analysis result for SHA-256 936dd5881a9af81f…

MALICIOUS

PDF

44.5 KB Created: 2020-08-29 10:52:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c40b10e15c73512c8f98514354be3779 SHA-1: 9f8e9d37f276e992be18f8677d185e10c7e769ab SHA-256: 936dd5881a9af81f02710cfd620b9b253e6075a338602a961fc5aa2e53fff79e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains text related to 'painting bid proposal templates' and the malicious URL itself. This suggests a social engineering lure to trick the user into clicking the link, which then leads to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=painting+bid+proposal+templates
    • https://static.usrfiles.com/ugd/b8c837_eb3e1e059e0749269d4556dbfeadb537.pdf
    • https://static.usrfiles.com/ugd/b8c837_5befc4d52e1247e49ff40fd82dcd01e4.pdf
    • https://static.usrfiles.com/ugd/d78803_f1e420d00b534c4b8d07728c3ac6a985.pdf
    • https://static.usrfiles.com/ugd/b8c837_680e05bdc0c94673a999faa07cd065ff.pdf
    • https://cdn.shopify.com/s/files/1/0432/3701/5719/files/2923505147.pdf
    • https://cdn.shopify.com/s/files/1/0432/4923/8178/files/35560815096.pdf
    • https://cdn.shopify.com/s/files/1/0435/2039/3375/files/amway_products_catalogue_with_price.pdf
    • https://static.usrfiles.com/ugd/b8c837_96fc0f23e4144a17826ac6aca3cbee9b.pdf
    • https://static.usrfiles.com/ugd/b8c837_65e00add5f7e4f819b732a07367ea238.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a83b0ded17144df8f748b470081d58e.pdf
    • https://static.usrfiles.com/ugd/b8c837_3e8723e5c2844bbfaa6b46d80c58e448.pdf
    • https://static.usrfiles.com/ugd/b8c837_fee92836f6af420a8da6b610078c3049.pdf
    • https://static.usrfiles.com/ugd/b8c837_b8333e51fbd040d286aa09d763f6a548.pdf
    • https://static.usrfiles.com/ugd/b8c837_6c9a36911d6446bbacbd7eca97a881b4.pdf
    • https://static.usrfiles.com/ugd/b8c837_73aecdcee4494698a35584d52deb893a.pdf
    • https://static.usrfiles.com/ugd/b8c837_1748ed109e5443f8844708c35c88e09b.pdf
    • https://static.usrfiles.com/ugd/b8c837_7474e173042e48d09a9aaf84ad0c5dcb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ed8.bin
256ad2b7360ec28332940e2e7e268eff9f80ae44b929b85fc554bbea122b4030		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ED8 5420 bytes
font_01_sfnt_off00008120.bin
c0c8ab168523562ebe504357f44446e0f3e70e9970223e7446ecd036192ad3aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8120 10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.