Malicious PDF — malware analysis report

Static analysis result for SHA-256 97cb39ffbc61db0d…

MALICIOUS

PDF

477.2 KB Created: 2020-10-07 09:27:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8a212f52252f4e31967896a85161e74 SHA-1: ab1370674db2aa11ea581fb0052352acb3185c88 SHA-256: 97cb39ffbc61db0d4c2081d4c4088c7c5d364d9d7bbaeedc5564334cab499d40
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link to 'ttraff.com'. The ML classifier also strongly flagged this PDF as malicious. The embedded URL is likely intended to lure the user to a malicious site, potentially for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=sword+coast+adventurer%2527s+guide+spells
    • https://site-1038321.mozfiles.com/files/1038321/piwegipiget.pdf
    • https://site-1040612.mozfiles.com/files/1040612/42536625037.pdf
    • https://site-1037193.mozfiles.com/files/1037193/34341664954.pdf
    • https://uploads.strikinglycdn.com/files/78f7944e-29cb-41b4-a2a3-177de5c888e4/sebubijixikep.pdf
    • https://uploads.strikinglycdn.com/files/ecd2f2e0-4113-4ac3-b9b4-ea4ad03c1fa0/83597902815.pdf
    • https://uploads.strikinglycdn.com/files/a9513040-8f34-488c-860e-3029d6564fb9/58331491983.pdf
    • https://uploads.strikinglycdn.com/files/2e1c1060-1379-4b65-9fdf-2a50528f6056/jegitewi.pdf
    • https://uploads.strikinglycdn.com/files/4520ae29-cc25-423f-a070-4180c7d07fb3/towikagipinub.pdf
    • https://cdn.shopify.com/s/files/1/0431/8062/1984/files/fepajeloluzakazuxot.pdf
    • https://cdn.shopify.com/s/files/1/0427/7056/3239/files/metujalusimoduren.pdf
    • https://cdn.shopify.com/s/files/1/0430/4715/7911/files/lufkin_high_school.pdf
    • https://cdn.shopify.com/s/files/1/0431/5676/6869/files/wikizinazil.pdf
    • https://cdn.shopify.com/s/files/1/0486/1686/5952/files/38002826885.pdf
    • https://cdn.shopify.com/s/files/1/0428/7820/6111/files/110_gallon_aquarium.pdf
    • https://cdn.shopify.com/s/files/1/0432/5838/0450/files/spirit_of_otherwhere_infusion.pdf
    • https://cdn.shopify.com/s/files/1/0478/5042/2431/files/ninabofemitijoxilasoxa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00071e15.bin
3e3b8e0af9a36046956d09daca4110ae4c212c16405d0c224ae3d67b7992e153		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71E15 5412 bytes
font_01_sfnt_off00073098.bin
05bfd60e79219a80f7d7728593e7ea553d136d87f332b5bfc82bdf8b10d00124		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73098 12096 bytes
font_02_sfnt_off00075830.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75830 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.