Malicious PDF — malware analysis report

Static analysis result for SHA-256 9db52d050a8c473c…

MALICIOUS

PDF

38.3 KB Created: 2020-08-15 01:35:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03cf9e4607d15c12af467f19444a8382 SHA-1: 2cbac38b43ea20d33ae9703e6d0bea72a90c9750 SHA-256: 9db52d050a8c473cc0607f92cb97523d2d65ea6ef41c46ab22564e10a7d1db2b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO poisoning. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used to serve the lure 'alien shooter hacked apk'. The document body confirms this lure and includes the malicious redirector URL. The presence of numerous links and the specific lure indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=alien+shooter+hacked+apk
    • http://files.communityclaydc.org/uploads/1/3/0/8/130873864/6850016.pdf
    • http://files.crexcats.com/uploads/1/3/0/7/130776003/7692116.pdf
    • https://cdn.shopify.com/s/files/1/0434/7078/2614/files/wumejav.pdf
    • https://cdn.shopify.com/s/files/1/0428/6454/1852/files/gelavijapomabido.pdf
    • https://cdn.shopify.com/s/files/1/0435/8320/9631/files/2437552496.pdf
    • https://cdn.shopify.com/s/files/1/0439/3716/9576/files/vekaxozogidoxub.pdf
    • https://cdn.shopify.com/s/files/1/0439/4539/4331/files/96798251147.pdf
    • https://cdn.shopify.com/s/files/1/0435/2134/3647/files/34313400367.pdf
    • https://cdn.shopify.com/s/files/1/0432/2738/1920/files/17167570903.pdf
    • https://cdn.shopify.com/s/files/1/0428/6201/8727/files/jagipevakabesaperidixo.pdf
    • https://cdn.shopify.com/s/files/1/0432/0775/3888/files/80172890410.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000058e5.bin
c2a1fa080e63978476f6181038ec0f16bb06d819f5fa2f7a55abd6929e39fde1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58E5 5212 bytes
font_01_sfnt_off00006a8f.bin
4d0875c04d58624a22d4f703468c314dbc99c4a5e7c84d160e6330e2b2933212		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A8F 10020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.