Malicious PDF — malware analysis report

Static analysis result for SHA-256 95c03317f98b6c70…

MALICIOUS

PDF

81.1 KB Created: 2020-08-29 19:02:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8d25dae4bbb586dc210ea839420f110 SHA-1: d77a6238984d0cde316970a7b05079a116601e70 SHA-256: 95c03317f98b6c701b604dba662951c4f8f71768fcdad381b55f584b0de20b11
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=mouto+sae+ireba+ii.'. Additionally, another critical heuristic indicates a PDF link farm, with 26 external PDF links, suggesting a tactic to distribute malicious content or engage in SEO manipulation. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the embedded malicious URL is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=mouto+sae+ireba+ii
    • https://cdn.shopify.com/s/files/1/0433/7827/8550/files/conversion_between_metric_and_imperial_units_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0432/1165/3277/files/limewirw_for_mac.pdf
    • https://cdn.shopify.com/s/files/1/0432/4841/8973/files/98632732070.pdf
    • https://cdn.shopify.com/s/files/1/0430/0885/2117/files/65767061211.pdf
    • https://static.usrfiles.com/ugd/b8c837_00f12b5f256a46199567452546e0d61c.pdf
    • https://static.usrfiles.com/ugd/b8c837_c05975b7ef7d48009a5b7e423293b265.pdf
    • https://static.usrfiles.com/ugd/b8c837_5e1947b7e04447b99c3da2920385052d.pdf
    • https://cdn.shopify.com/s/files/1/0458/2745/7187/files/rojevokawezet.pdf
    • https://cdn.shopify.com/s/files/1/0431/5696/3479/files/athlean_x_muscle_building_program.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/jazevetokosopawozubova.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bibekejufalakudogaloseja.pdf
    • https://cdn.shopify.com/s/files/1/0431/1190/7488/files/44709469681.pdf
    • https://cdn.shopify.com/s/files/1/0437/6661/2119/files/binomial_table_statistics.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008afa.bin
fbf41d2b6611c6ff3c3136ac83f7ce6fd2b27d01f027a122785dae83138fbf43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AFA 37492 bytes
font_01_sfnt_off00010054.bin
b839f185d4bb7011cf04bde8a11654d943fbede22e4635493c754acad1a1feb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10054 4824 bytes
font_02_sfnt_off000110d7.bin
50aa2c7feff24916efedd8ad055285e8b4901608373b8e53e5f3d88123222bf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110D7 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.