Malicious PDF — malware analysis report

Static analysis result for SHA-256 a31e16a11798da08…

MALICIOUS

PDF

47.9 KB Created: 2020-08-19 17:54:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc26c2cd89df57646d93d9ccd68fec07 SHA-1: 50f4237e3f04689e96e31308eac6ddef45466526 SHA-256: a31e16a11798da08788b1f0e0e1d9d49d60fd16b6aa44db50f7df196bec75d67
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to mimic search results, specifically for 'autocad plant 3d free full version'. This link redirects to a malicious URL, ttraff.cc, which is flagged as a malicious redirector. The PDF's structure and embedded links suggest a phishing or scam attempt to lure users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=autocad+plant+3d+free++full+version
    • http://simewuga.stjohnsepiscopalchurch.org/uploads/1/3/1/3/131379808/vofutuselanofi_faxefaludotus_jalep_reton.pdf
    • http://xubaxe.metahatem.com/uploads/1/3/2/6/132695535/8aad5.pdf
    • http://zofot.plowbreakfarm.com/uploads/1/3/0/7/130776485/9564956.pdf
    • http://files.kintsugigoldenhealing.com/uploads/1/3/1/1/131163904/1227239.pdf
    • https://cdn.shopify.com/s/files/1/0432/0441/1556/files/35751608416.pdf
    • https://cdn.shopify.com/s/files/1/0435/3314/0127/files/pikila.pdf
    • https://cdn.shopify.com/s/files/1/0437/1139/8041/files/budget_2019_analysis_report.pdf
    • https://cdn.shopify.com/s/files/1/0434/4040/6684/files/lodajavene.pdf
    • https://cdn.shopify.com/s/files/1/0429/0750/0711/files/best_to_word_converter_nitro.pdf
    • https://cdn.shopify.com/s/files/1/0431/0401/0389/files/pagejituvokuraxeguluzewo.pdf
    • https://cdn.shopify.com/s/files/1/0431/1737/9745/files/16227876909.pdf
    • https://cdn.shopify.com/s/files/1/0433/6808/7711/files/vorasov.pdf
    • https://cdn.shopify.com/s/files/1/0435/1823/0688/files/vudokivebosokekipukatapis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d1f.bin
1959c9568f09355f154d766bc30a09fcd9915cc3abb7f72ade1d85e404c28a35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D1F 5364 bytes
font_01_sfnt_off00008f6d.bin
76d6bc0d029cf35356393118340f049dbb2f166dc237e6318febd602b3d78746		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F6D 10208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.