Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f891e42d03a52db…

MALICIOUS

PDF

41.5 KB Created: 2020-08-31 09:03:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2288fabc80cb5d32dd5284878fd8a44 SHA-1: 3fad96ebe5284141c02b6ba4376e5348189e02fe SHA-256: 9f891e42d03a52db309a39499a993d7acd4217d00417c11d2d2b9a40de54ca62
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=in+the+heights+download'. This link is presented within the document body, likely as a lure to trick users into clicking it. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious redirector attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=in+the+heights+download
    • https://cdn.shopify.com/s/files/1/0434/7016/0032/files/53945375021.pdf
    • https://cdn.shopify.com/s/files/1/0432/8069/5462/files/gogimanivanitejulonup.pdf
    • https://cdn.shopify.com/s/files/1/0434/8336/5528/files/5483775370.pdf
    • https://cdn.shopify.com/s/files/1/0435/2802/8312/files/sql_server_interview_questions_for_experienced_professionals.pdf
    • https://cdn.shopify.com/s/files/1/0434/6327/8758/files/sql_licensing_guide.pdf
    • https://static.usrfiles.com/ugd/b8c837_a96b52027037426995c4055e1696a306.pdf
    • https://static.usrfiles.com/ugd/18122d_e107e269b83b42c5967837da30f35c33.pdf
    • https://static.usrfiles.com/ugd/52b593_c555c911a6d64ee3ac3df6252c3a1770.pdf
    • https://static.usrfiles.com/ugd/d55797_2d530a3e51854b5bb8f495a6c152b192.pdf
    • https://static.usrfiles.com/ugd/b8c837_6664b1be210a4483b4d4a3ef414dfdfb.pdf
    • https://static.usrfiles.com/ugd/314c35_d21ee72830274326b1e4342fa26ffce6.pdf
    • https://static.usrfiles.com/ugd/eed56f_e035dd67230a4f069cc767a3a5453a5d.pdf
    • https://static.usrfiles.com/ugd/c068f8_bc51399a0e7c4e83add789f16d1dcc51.pdf
    • https://static.usrfiles.com/ugd/c618e9_2eb8ded48fa4478389a8ed34096844b0.pdf
    • https://static.usrfiles.com/ugd/4b68be_83c28598d3a8409ebdea958a1ed8e298.pdf
    • https://static.usrfiles.com/ugd/5fd5c1_5ad880e0598740fab889ab863112ed9a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000620f.bin
67cae34793a3862a07b8a8ac0dba68da8b59c1798732cd5b4e0fb320db530caf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x620F 5020 bytes
font_01_sfnt_off00007331.bin
a0617ab093a65bd056b556e21c54317d15e17b8d620e0ec552d60c0daf1ac90c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7331 11820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.