Malicious PDF — malware analysis report

Static analysis result for SHA-256 99524aaea51918ec…

MALICIOUS

PDF

42.3 KB Created: 2020-08-23 20:43:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b17b13a78d99d8b75eb3a324f6d51885 SHA-1: afd5bdf552366a361850e230d55a2a3897605a20 SHA-256: 99524aaea51918ec56dc86d9387392158dbef452ba564f37d251c8eec5387f5e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to a redirector service (ttraff.com) that is known to host malicious content. The document body itself is heavily obfuscated and contains a mix of seemingly random characters and URLs, suggesting it is designed to evade static analysis while still presenting a lure. The primary malicious URL identified is ttraff.com, which is used to redirect to other potentially malicious PDF files hosted on various domains.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=captain+tsubasa+dream+team+evolve+guide
    • http://sexijisa.davidbuswell.com/uploads/1/3/0/9/130969916/7121410.pdf
    • http://wupeg.authorsforpeace.com/uploads/1/3/2/8/132814930/5395543.pdf
    • https://cdn.shopify.com/s/files/1/0430/7543/6698/files/centricity_pm_training_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/5936/3483/files/lefapoxatuxog.pdf
    • https://cdn.shopify.com/s/files/1/0438/6642/3456/files/4287313152.pdf
    • https://cdn.shopify.com/s/files/1/0428/3239/6447/files/dumogenenuradiro.pdf
    • https://cdn.shopify.com/s/files/1/0431/8917/4432/files/82044853771.pdf
    • https://cdn.shopify.com/s/files/1/0430/4922/2298/files/flightradar24_gold_apk.pdf
    • https://cdn.shopify.com/s/files/1/0440/9255/5416/files/zojafi.pdf
    • https://cdn.shopify.com/s/files/1/0436/4448/5790/files/redact_adobe_acrobat_standard_dc.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/80789229335.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006581.bin
c6c25493fd08564e6e74fe2eb4e446c12e4b9df7528c122982d77e1a4bdc4c17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6581 5384 bytes
font_01_sfnt_off000077b0.bin
c43a802b00b37cb4aae3457bb5cb8be50f812b332bfc555e327589c6d16e2fa3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77B0 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.