Malicious PDF — malware analysis report

Static analysis result for SHA-256 9beec260e4cc1927…

MALICIOUS

PDF

39.7 KB Created: 2020-08-31 05:27:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2fe5309456830b37ff8e4a2644eba19 SHA-1: 55ed8fbb98d980809c5aae55a1861374c87dfc70 SHA-256: 9beec260e4cc192752816cfbcae19e3e11b92c79c6955ae8c83f2e9b877bc2ed
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged as malicious due to a critical heuristic firing for a redirector link pointing to ttraff.me. This URL is likely used to direct users to a malicious site. The document body contains obfuscated text and embedded URLs, including the primary malicious redirector, suggesting a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=naam+hai+tera+taran+hara+bhajan+down
    • https://cdn.shopify.com/s/files/1/0428/9249/2963/files/50600601069.pdf
    • https://cdn.shopify.com/s/files/1/0433/8309/5459/files/brothers_burger_menu.pdf
    • https://cdn.shopify.com/s/files/1/0439/1672/2344/files/ames_performance_center_burnsville.pdf
    • https://static.usrfiles.com/ugd/33a2e4_0ee1c82464a9448ea658cbcb37fdcde3.pdf
    • https://static.usrfiles.com/ugd/b8c837_b6c190f4b6494997a8f83f845ef1045a.pdf
    • https://cdn.shopify.com/s/files/1/0459/8733/2253/files/rojibatuwikidadarafona.pdf
    • https://cdn.shopify.com/s/files/1/0462/4328/3104/files/44613014023.pdf
    • https://static.usrfiles.com/ugd/b8c837_0477fee2ee2e4f7086ad927eaeb3ddf1.pdf
    • https://static.usrfiles.com/ugd/52b593_13874e3e5e6e44c1a2c446095b813ca9.pdf
    • https://static.usrfiles.com/ugd/b8c837_bd283b680f7540edaa1e482e831b5bc9.pdf
    • https://static.usrfiles.com/ugd/b4609a_a11d62d836aa4ecba5b883b2f86dd31c.pdf
    • https://static.usrfiles.com/ugd/b8c837_b86ad344d73a4a869059bbfbdf53c55a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ed9.bin
456b1c5e7cf640540698a42a0f8deb0a1b952ff2527a7b86f28e6d0874dd10c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4ED9 5132 bytes
font_01_sfnt_off00006032.bin
202e9d81efe997ea178a801fd04fb7739836e35a7f71cd0b1ecd20cb5e26f817		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6032 4616 bytes
font_02_sfnt_off00006eed.bin
367168631ec781b571a9c4c4a9917c5248b495558871b7d4933d0727b89b8b68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EED 10028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.