Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a8c60e38730db8b…

MALICIOUS

PDF

43.3 KB Created: 2020-08-31 03:56:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aec5ac6a7efce1cf1037462b964df857 SHA-1: 3ebcbecf65fa97be35d4b92399f8754a21dec696 SHA-256: 9a8c60e38730db8bedc9dfcc3ad135d9f96367aa4db0b5670931879709adcabd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=used+yamaha+4+wheeler+parts'. This URL is presented within the document body, disguised as a search result. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on cdn.shopify.com, suggesting an attempt to manipulate search engine results or distribute content. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=used+yamaha+4+wheeler+parts
    • https://cdn.shopify.com/s/files/1/0431/9281/1669/files/64093169929.pdf
    • https://cdn.shopify.com/s/files/1/0440/6309/6984/files/96284602946.pdf
    • https://cdn.shopify.com/s/files/1/0431/7573/9553/files/yuna_crush_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0431/2409/7191/files/40779552543.pdf
    • https://cdn.shopify.com/s/files/1/0437/7369/0017/files/wemifawidunepeb.pdf
    • https://cdn.shopify.com/s/files/1/0435/1678/8900/files/to_kill_a_mockingbird_study_guide_an.pdf
    • https://cdn.shopify.com/s/files/1/0427/5883/2294/files/ashrae_62._2.pdf
    • https://cdn.shopify.com/s/files/1/0435/4523/1509/files/69348142132.pdf
    • https://static.usrfiles.com/ugd/15ebe2_e3223865ebba4ab99807269cc35d02d7.pdf
    • https://static.usrfiles.com/ugd/4725f1_5ca9214a391a4d5c8f58eae3a8e45c93.pdf
    • https://static.usrfiles.com/ugd/b8c837_4a15c2e22735437a9c1be0a284f6b998.pdf
    • https://static.usrfiles.com/ugd/3aee12_7b15c3bbacc14bc7b583ef608f60321c.pdf
    • https://static.usrfiles.com/ugd/fe83c3_0aaa092073404597978904ebf0c9f151.pdf
    • https://static.usrfiles.com/ugd/11f207_ee7ae1b4c00a4e12b06e5267cddf37d8.pdf
    • https://static.usrfiles.com/ugd/930050_e75846b678d74a68a62551686ff7be14.pdf
    • https://static.usrfiles.com/ugd/1813b3_1c137103e0ad48f5814b638839fb74d3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006853.bin
6e8b2f0529b949138c0b6976852337f7320718e56db03e72163e961af0c2a2c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6853 5472 bytes
font_01_sfnt_off00007ae6.bin
d050de799df199aca4af224b9891558778293e0146bd4d88483c7c691648ba7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AE6 10976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.