Malicious PDF — malware analysis report

Static analysis result for SHA-256 93a2235f186c0389…

MALICIOUS

PDF

44.5 KB Created: 2020-08-31 09:47:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6ae52e86dd30cc22bdd7e79ebdb1df9 SHA-1: 233921edabc8b08943e6289fc4fd2b47bbe59123 SHA-256: 93a2235f186c0389f6367a36877a57467c2686ff9dbb29bd57c28bffbfc220ce
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=ajax+jquery+tutorial+pdf'. This indicates the document's primary purpose is to lure users to malicious infrastructure. The PDF also contains a link farm, suggesting SEO poisoning tactics to increase visibility. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=ajax+jquery+tutorial+pdf
    • https://static.usrfiles.com/ugd/b8c837_1df8a0a6591542ecab335419ce362a40.pdf
    • https://static.usrfiles.com/ugd/b8c837_eb2f0606e16f4f47803da1a71a0a1434.pdf
    • https://static.usrfiles.com/ugd/b8c837_ef3a5826b81447a38677df76b31ebf58.pdf
    • https://static.usrfiles.com/ugd/b8c837_1b71d75ab8ef4596b2a344b295b1484e.pdf
    • https://static.usrfiles.com/ugd/b8c837_bec52d215bef415bab6634e77357ab05.pdf
    • https://static.usrfiles.com/ugd/64f9d2_1a5f4b6557c04134b99651f2c5db79b2.pdf
    • https://static.usrfiles.com/ugd/f96b02_928f9dda5b904e27bc2f48b3fa1e55c9.pdf
    • https://static.usrfiles.com/ugd/b8c837_9096d5bc6f8d4641a47c47d913564d34.pdf
    • https://static.usrfiles.com/ugd/b8c837_528317447e284e2898b0305cc4846d9f.pdf
    • https://cdn.shopify.com/s/files/1/0434/0000/3749/files/35071335186.pdf
    • https://cdn.shopify.com/s/files/1/0438/2529/9606/files/sikusomodagivusonip.pdf
    • https://cdn.shopify.com/s/files/1/0433/4062/8120/files/karojo.pdf
    • https://cdn.shopify.com/s/files/1/0433/6720/2974/files/oxford_german_english_dictionary_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/10699911966.pdf
    • https://cdn.shopify.com/s/files/1/0437/9970/7805/files/cloridrato_de_amiodarona_bula.pdf
    • https://cdn.shopify.com/s/files/1/0437/1985/2200/files/59809068524.pdf
    • https://cdn.shopify.com/s/files/1/0431/6545/0391/files/bozutofolifekijeda.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e3d.bin
84af858b707347937c4246abe385f2d886bcc35676075fd102e8c67f0ec14399		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E3D 5220 bytes
font_01_sfnt_off00008028.bin
6b253ab1dcb4e675d24286449b83f3936d668a883cc8cb08df32072cd999df2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8028 11268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.