Malicious PDF — malware analysis report

Static analysis result for SHA-256 97e87646486b4cbb…

MALICIOUS

PDF

45.6 KB Created: 2020-09-03 14:18:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9e3fccff2b140a2b505c0a7122fb00c SHA-1: ea95a02c4839d4ba3c3a2224a018c00ffb17483c SHA-256: 97e87646486b4cbbf41d126678465cdb83edcb01d8ec4b3aebbcb37c4dee24c1
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The primary malicious URL identified is https://ttraff.cc/wix?keyword=flyer+promotion+template. The document body, though heavily obfuscated, contains this URL, suggesting the document's purpose is to lure the user to this external resource. No scripts were extracted, but the presence of a malicious redirector is sufficient evidence of a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=flyer+promotion+template
    • https://cdn.shopify.com/s/files/1/0434/0508/2781/files/busqueda_y_recuperacion_de_informacion.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/doxufuvezemog.pdf
    • https://cdn.shopify.com/s/files/1/0466/4190/5829/files/the_lover_marguerite_duras_english.pdf
    • https://static.usrfiles.com/ugd/911c12_1ae4d73409b24ca0b7e59d5d2495a16c.pdf
    • https://static.usrfiles.com/ugd/b8c837_9015b1e3454d4fabb526a9633a00aa3b.pdf
    • https://cdn.shopify.com/s/files/1/0441/2011/3304/files/vastu_shastra_in_gujarati.pdf
    • https://cdn.shopify.com/s/files/1/0433/9826/7029/files/packet_tracer_2.4_1.2_configure_is_l.pdf
    • https://cdn.shopify.com/s/files/1/0440/8265/9493/files/bittorrent_for_win_10.pdf
    • https://cdn.shopify.com/s/files/1/0434/0639/3496/files/19694976956.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000760f.bin
128bd77be66029c268d9356a4977642e2feef40c56046467683160c2190ce807		 pdf-font-stream PDF embedded font (sfnt) at offset 0x760F 4844 bytes
font_01_sfnt_off0000867d.bin
747e3b2824060de9333d87b9d7e8df1e01cf92488d254b06f6b5db23f5e42735		 pdf-font-stream PDF embedded font (sfnt) at offset 0x867D 10400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.