Malicious PDF — malware analysis report

Static analysis result for SHA-256 9aadfeb5aa3633a0…

MALICIOUS

PDF

54.0 KB Created: 2020-08-17 15:46:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aecc51465eef1050929271c126c1888d SHA-1: 7458db1d42eb047d2a868efaaa2bb2e91661d51f SHA-256: 9aadfeb5aa3633a07dd4936028480bbdec55d62595ecf7bc659079d172b0abf4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to domains associated with redirectors or link farms. The document body, though heavily obfuscated, contains text suggesting it is a lure for a "Polaroid powerpoint template presentation". The primary malicious URL identified is ttraff.com, which is known to host redirectors. The file's structure and extensive linking suggest a phishing or redirection campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=polaroid+powerpoint+template+presentation
    • http://gofazajiw.centerstagedanceal.com/uploads/1/3/2/7/132712072/4060633.pdf
    • http://files.bengilbert10.com/uploads/1/3/2/7/132741029/guvajufeleb_fanuku_jobusenupo_xupugoforavo.pdf
    • http://files.bengilbert10.com/uploads/1/3/2/7/132741029/guvajufeleb
    • https://cdn.shopify.com/s/files/1/0435/7737/6936/files/kizuz.pdf
    • https://cdn.shopify.com/s/files/1/0430/6799/8362/files/vemaxojurix.pdf
    • https://cdn.shopify.com/s/files/1/0432/5530/0249/files/raforudesimogepavonolup.pdf
    • https://cdn.shopify.com/s/files/1/0437/0454/9544/files/3661726552.pdf
    • https://cdn.shopify.com/s/files/1/0430/9617/8845/files/41951825077.pdf
    • https://cdn.shopify.com/s/files/1/0428/4504/4892/files/65580898038.pdf
    • https://cdn.shopify.com/s/files/1/0435/8098/1403/files/40392514490.pdf
    • https://cdn.shopify.com/s/files/1/0431/2642/3701/files/31946932480.pdf
    • https://cdn.shopify.com/s/files/1/0438/3195/1517/files/bohemian_rhapsody_tabs_fingerstyle.pdf
    • https://cdn.shopify.com/s/files/1/0430/1049/0519/files/what_does_a_chinese_keyboard_look_like.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008314.bin
c345397cb743550d315427aeff8f70039d76c937b7479df56d5f539d73032223		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8314 4988 bytes
font_01_sfnt_off000093f0.bin
a306826048f7c13be9332a9b749bd52219b4338d416e6900a419024d17b7faaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93F0 12880 bytes
font_02_sfnt_off0000bca6.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBCA6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.