Malicious PDF — malware analysis report

Static analysis result for SHA-256 9423462050bcd3fb…

MALICIOUS

PDF

40.5 KB Created: 2020-09-03 07:00:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3da98a4b5d9abf23186319924dbfc79 SHA-1: 243842f77e80434a86879f2e4e68f5faf5ea310f SHA-256: 9423462050bcd3fb3a8845edaeb91fe4a01f0990b19831483b253017c40167f9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many pointing to benign Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=cfm+full+form+medicine', suggesting a lure to a malicious site disguised as a search result. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=cfm+full+form+medicine
    • https://cdn.shopify.com/s/files/1/0434/9440/8354/files/arnis_history.pdf
    • https://cdn.shopify.com/s/files/1/0439/7583/5806/files/supermario_bros_3_cheats.pdf
    • https://cdn.shopify.com/s/files/1/0434/3001/9229/files/49908843068.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7296/files/konumepisafisogawobukalok.pdf
    • https://cdn.shopify.com/s/files/1/0429/8306/3715/files/45219723584.pdf
    • https://static.usrfiles.com/ugd/cc089a_0851cb464e4346319649c7af2d9b25c4.pdf
    • https://static.usrfiles.com/ugd/b8c837_467f2dc5953d4a34aabb7284f47b995b.pdf
    • https://static.usrfiles.com/ugd/99a8f2_bad2a076d1f04dfd85702598a4b6680a.pdf
    • https://static.usrfiles.com/ugd/cdb50c_464aa1f43b974853aa1c5434ec7a3b60.pdf
    • https://static.usrfiles.com/ugd/71fd01_46e379b58eb943a3a966b82067bc9b05.pdf
    • https://static.usrfiles.com/ugd/1a89c8_4f58aec2b562489baa7b86a5cc44ac3f.pdf
    • https://static.usrfiles.com/ugd/ef7486_9927d8c31848491b915b7f09111ab065.pdf
    • https://static.usrfiles.com/ugd/fdd6c2_6b4ed52598254349a1a5c609734220f8.pdf
    • https://static.usrfiles.com/ugd/cec570_3779c88e10464070a357b7719a9b1b0d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ad5c5d54f2be471a94e0c221cdb78c6c.pdf
    • https://static.usrfiles.com/ugd/fbcb80_710ecb3101cb474197ef5ab64d49f32b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006145.bin
ad1263da42a5f399b097184607ac65aa697fcce02e57bbf33385680d2a6c2d9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6145 4684 bytes
font_01_sfnt_off00007118.bin
5b96c767c9365966985fe6427853c04c6cdb1e45e0e89f8a069705985e4edb5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7118 10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.