Malicious PDF — malware analysis report

Static analysis result for SHA-256 9eb5f7fd7645b99a…

MALICIOUS

PDF

73.4 KB Created: 2020-08-26 03:49:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bfb146ff9f89fc44dad6f07f0c6e294d SHA-1: 9de22c8983e6d453f2a3629eb956dbbd0be081a1 SHA-256: 9eb5f7fd7645b99a73685cf58f26c27ac1d9fe2f3a165bdcf584993b48a32066
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, a PDF SEO link farm heuristic indicates the presence of numerous external links, with the first being to cdn.shopify.com. The ML classifier also strongly flagged this PDF as malicious. The embedded URL likely serves as a lure to a phishing page or a download site for further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=%25D8%25A3%25D8%25B3%25D8%25B9%25D8%25A7%25D8%25B1+%25D8%25A8%25D9%258A%25D9%2588%25D8%25AA+%25D8%25A7%25D9%2584%25D8%25AF%25D8%25B9%25D8%25A7%25D8%25B1%25D8%25A9+%25D9%2581%25D9%258A+%25D8%25A3%25D9%2584%25D9%2585%25D8%25A7%25D9%2586%25D9%258A%25D8%25A7
    • http://files.amesburyschoolcoalition.com/uploads/1/3/0/7/130739593/c02159ecdc.pdf
    • http://files.davesartdimensions.com/uploads/1/3/1/6/131606348/vojetiborakupo.pdf
    • http://files.melaninthecity.com/uploads/1/3/1/6/131606803/2215679.pdf
    • http://dagedetum.yellowhouseherbs.com/uploads/1/3/1/0/131070450/4334889.pdf
    • http://sixidoxo.lisastory.org/uploads/1/3/2/6/132682347/lubutupozadodisitu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/571475918.pdf
    • https://cdn.shopify.com/s/files/1/0432/3957/1616/files/neopets_avatar_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/4506/8699/files/67669094222.pdf
    • https://cdn.shopify.com/s/files/1/0432/0113/4747/files/angularjs_2_interview_questions_tutorialspoint.pdf
    • https://cdn.shopify.com/s/files/1/0434/2143/4005/files/pobufiro.pdf
    • https://cdn.shopify.com/s/files/1/0437/1110/3128/files/basic_accounting_concepts_notes.pdf
    • https://cdn.shopify.com/s/files/1/0434/1750/1852/files/augmented_analytics.pdf
    • https://cdn.shopify.com/s/files/1/0428/7276/6631/files/sofoxeniti.pdf
    • https://cdn.shopify.com/s/files/1/0431/5699/6247/files/40488940499.pdf
    • https://cdn.shopify.com/s/files/1/0435/5378/3957/files/rizakagezemawakobuzeveg.pdf
    • https://cdn.shopify.com/s/files/1/0434/7274/8710/files/92068437559.pdf
    • https://cdn.shopify.com/s/files/1/0437/5812/5213/files/white_mountain_ice_cream_maker_parts.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000dc13.bin
3e6c7330d9a3a7953f45d16bf8a093a0656f2ee9a8bed3865e56deb629204917		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDC13 32384 bytes
font_00_sfnt_off00009794.bin
3e900196e372575ee1af689ac1189ef6d8c737e738b089e874f4efaa939d80c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9794 4068 bytes
font_01_sfnt_off0000a570.bin
48591dd482efd8215f2e6b47902d7f528a841892619e19315f08eaa7a56d6367		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA570 18100 bytes
font_02_sfnt_off0000c1b6.bin
9ef4119759a644881b8520f04e1d04450c50cb41df934bea6d07209f779bef07		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC1B6 7704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.