Malicious PDF — malware analysis report

Static analysis result for SHA-256 94db8d54e6edefdf…

MALICIOUS

PDF

49.0 KB Created: 2020-08-24 19:05:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b9b0fac0c0281dcae4d950bf2ef734e2 SHA-1: 66904704d9d171f78423a5d316b0b394c0fa7fa9 SHA-256: 94db8d54e6edefdfd6a48319734452acb71fb7558badef65b47fcf4e30e23d03
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, many pointing to Shopify domains, but one critical link redirects to a known malicious domain (ttraff.cc). This suggests a link farm or SEO poisoning tactic to distribute malicious content. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern involves luring the user to click on the malicious redirector URL, likely to download a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=simplifying+rational+functions+pdf
    • http://files.texasboutique2020.com/uploads/1/3/1/4/131437474/2006938.pdf
    • http://files.foxslowponies.com/uploads/1/3/0/7/130738928/rutukazo.pdf
    • http://betogifus.singingsawpress.com/uploads/1/3/1/4/131406390/vonatewobijoxug-joviwufomewunok.pdf
    • https://cdn.shopify.com/s/files/1/0429/7365/9290/files/49838637621.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/96226605796.pdf
    • https://cdn.shopify.com/s/files/1/0431/8032/7076/files/13115201073.pdf
    • https://cdn.shopify.com/s/files/1/0434/0174/0439/files/42898667349.pdf
    • https://cdn.shopify.com/s/files/1/0438/0976/7584/files/business_plan_for_startup_software_company.pdf
    • https://cdn.shopify.com/s/files/1/0430/9565/4554/files/66275391960.pdf
    • https://cdn.shopify.com/s/files/1/0434/4479/7600/files/android_studio_3._5_development_essentials.pdf
    • https://cdn.shopify.com/s/files/1/0437/3417/1800/files/mcculloch_eager_beaver_2._0_chainsaw_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/46676539889.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c06.bin
fec06fc8b7f82fa1ed34f8ee353f9f8baec358c90158434e414eda3e9acfa195		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C06 5680 bytes
font_01_sfnt_off00007f42.bin
1123cddd7cdae67cc89860d602d29dcad76f60b0a6b2b0d3a9a14566bcbcfbf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F42 10248 bytes
font_02_sfnt_off0000a282.bin
c43c81af3addadc619f1b50b0eb79006c69e58cb90abf43f7a5fbd940e22698c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA282 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.