Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c47db1094141868…

MALICIOUS

PDF

34.1 KB Created: 2020-09-02 22:08:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b21f31e0a2b99ebf927de5c20b37200f SHA-1: c4dfe9fd4f4a34fbdee722ccc015b4e928173306 SHA-256: 9c47db1094141868404f763d680b05a874fbe37ed20340ff40b0bdd0e4e7bd71
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics as malicious, specifically for containing a link to a known malicious redirector. The document body contains garbled text but also includes the URL 'https://ttraff.me/wix?keyword=tehda+cheer+song++djpunjab', which is identified as a malicious redirector. This suggests the PDF's primary purpose is to lure users to a potentially harmful external site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=tehda+cheer+song++djpunjab
    • https://static.usrfiles.com/ugd/191a6d_9b7f7c966d5c401a8476f34328bf7cc7.pdf
    • https://static.usrfiles.com/ugd/66c878_0c90a44d2f554f6e90855364adbbc73e.pdf
    • https://static.usrfiles.com/ugd/5d2cf3_7336fe2f3e5e47488d3587a32ff073eb.pdf
    • https://static.usrfiles.com/ugd/b8c837_939780b089b844c687de3aae71206cc6.pdf
    • https://static.usrfiles.com/ugd/a4d998_955b85758571429bae17ab26af0aa72b.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/boxefavujiv.pdf
    • https://static.usrfiles.com/ugd/81d6a4_dc3ba662da9944d98da0f95cc69c809e.pdf
    • https://static.usrfiles.com/ugd/87b9a8_bb9f69b6e1554a21966a9cb8b533ad86.pdf
    • https://static.usrfiles.com/ugd/91e123_d69c11c5f6d34e8d87d62e9739d94cfd.pdf
    • https://cdn.shopify.com/s/files/1/0428/6968/6431/files/massey_ferguson_135_parts.pdf
    • https://cdn.shopify.com/s/files/1/0437/3423/7333/files/rogodejifusokisiram.pdf
    • https://cdn.shopify.com/s/files/1/0460/8399/7860/files/teradata_timestamp_format_24_hour.pdf
    • https://cdn.shopify.com/s/files/1/0428/2312/3100/files/nifuvopotajedudo.pdf
    • https://cdn.shopify.com/s/files/1/0440/6693/0840/files/beat_saber_size.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046d7.bin
33cf2c1d19628cf280683b2e502f024a65478de8bc3220be2579242b2dea5249		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46D7 5468 bytes
font_01_sfnt_off00005961.bin
5e80cbd7b153cb91dc0b20b545e302872fdabcee61b14e0c3f5164418866d30a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5961 10092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.