Malicious PDF — malware analysis report

Static analysis result for SHA-256 94ce3801527f69c8…

MALICIOUS

PDF

36.7 KB Created: 2020-08-30 17:00:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6f0af2de0c956a132c702c2f4581040 SHA-1: b8a153e556367f7560149628ba7a20baca11fdc0 SHA-256: 94ce3801527f69c89cff7a70c2d8da7a7ac2c6392b413e40c34a5d4b15663b48
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.club, which is likely intended to lead the user to a phishing or malware distribution site. The document body, though heavily obfuscated, contains text related to 'Sistem analizi ve tasarimi proje' (System analysis and design project), suggesting a lure to disguise the malicious intent. The presence of numerous external PDF links, many pointing to Shopify domains, further indicates a link farm or SEO poisoning tactic to increase the visibility of the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=sistem+analizi+ve+tasar%25C4%25B1m%25C4%25B1+proje
    • https://static.usrfiles.com/ugd/1d64af_b2276e8e8bc141d1b8aa0b633b9337c8.pdf
    • https://static.usrfiles.com/ugd/c1108c_a882019ffb084d81a75566c665fb2833.pdf
    • https://static.usrfiles.com/ugd/9b33c5_368c8fd6d1c04b1ebbda7b6d2598c20e.pdf
    • https://static.usrfiles.com/ugd/eb6612_31db11ce240d451cac2fca8506840b61.pdf
    • https://cdn.shopify.com/s/files/1/0447/0882/3193/files/geographic_information_system_book_download.pdf
    • https://cdn.shopify.com/s/files/1/0427/4287/4278/files/79069744790.pdf
    • https://cdn.shopify.com/s/files/1/0433/0484/5465/files/wexivatozezof.pdf
    • https://cdn.shopify.com/s/files/1/0431/4087/4408/files/blood_cancer_book.pdf
    • https://cdn.shopify.com/s/files/1/0433/9816/8743/files/89311196141.pdf
    • https://cdn.shopify.com/s/files/1/0431/9327/0429/files/wukuwotoziluvemulidobinop.pdf
    • https://static.usrfiles.com/ugd/33c377_401db79efcdb40c09436d144a0e41188.pdf
    • https://static.usrfiles.com/ugd/d1d005_5cb669db1fef46f799a6499c13db425e.pdf
    • https://static.usrfiles.com/ugd/3f80ec_91b4f83f81ae4953a8a66b7c0977c5b9.pdf
    • https://static.usrfiles.com/ugd/b8c837_947bb5f389fb4debabc2e21b2e1a5749.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e2d.bin
9f5838f5b23c80baa0b90913277d439e1b80557b5f469535e6a577ece98415ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E2D 5288 bytes
font_01_sfnt_off00006019.bin
33a422c6c1cb1d177e8d82d5aa0aa696886b61449ee98cd5b60be49da9f75f13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6019 12096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.