Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3c333f0aac80033…

MALICIOUS

PDF

38.4 KB Created: 2020-08-29 17:25:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 37a8813ef5e6d918fa796375f67d1b70 SHA-1: 57d252db92b13a9af3d10b50ae8e1c072c3c2070 SHA-256: a3c333f0aac800334f9eb9eee7d82f9a9916211464c357129cd9019098175d0a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link to a known malicious redirector, ttraff.cc, which is disguised with a keyword suggesting an educational evaluation. The document also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external PDF files, many hosted on Shopify. The ML classifier strongly flagged this PDF as malicious. The primary attack vector appears to be social engineering through a deceptive document title and a malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=evaluation+cm2+sujet+verbe
    • https://cdn.shopify.com/s/files/1/0431/5545/6164/files/xakapa.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6849/files/71442039957.pdf
    • https://cdn.shopify.com/s/files/1/0431/5417/8216/files/zanasapaxaxaf.pdf
    • https://static.usrfiles.com/ugd/b8c837_c7e4fed6a1414531bd4851100916ddb1.pdf
    • https://cdn.shopify.com/s/files/1/0431/4411/8423/files/62172005813.pdf
    • https://cdn.shopify.com/s/files/1/0434/0911/3240/files/lekalopikiwetonukoniwotej.pdf
    • https://cdn.shopify.com/s/files/1/0431/8960/0414/files/80794389186.pdf
    • https://cdn.shopify.com/s/files/1/0428/8331/7926/files/jetusotobasovefubikix.pdf
    • https://static.usrfiles.com/ugd/b8c837_80b834759d2c4e9b943af6c63b8f4b64.pdf
    • https://static.usrfiles.com/ugd/0c268c_7ac5c317e1d64607acd126690e9fa885.pdf
    • https://static.usrfiles.com/ugd/b8c837_a6071401020040e89cf7e0f04e877af2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000586a.bin
99b85c254ba94f1ee5180f854d5aa38ec0e5548cf5f7582bddaf14c3ecf75a27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x586A 5312 bytes
font_01_sfnt_off00006a68.bin
c33180fb5f49159f9ba516467c2e602adbfee31549f706bd8dbedc5c30ce70e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A68 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.