Malicious PDF — malware analysis report

Static analysis result for SHA-256 a44fdaa0de1c7d12…

MALICIOUS

PDF

36.2 KB Created: 2020-09-01 22:33:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0c6c9ce4d77764be80b6ce5d7708d21 SHA-1: be0655fcfb779cbf52ee8d3dd72f2d54e87f42ff SHA-256: a44fdaa0de1c7d124899b7f2ac93ecf2179c9aafd5fbd4590138dba10cb73023
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, directing users to `https://ttraff.me/wix?keyword=join+the+dots+worksheet+for+nursery`. The document body, though heavily obfuscated, also contains this URL and numerous other links hosted on `cdn.shopify.com`, suggesting a link farm or SEO poisoning attempt. The primary malicious URL is the highest priority IOC.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=join+the+dots+worksheet+for+nursery
    • https://cdn.shopify.com/s/files/1/0449/3757/6603/files/877_445_7469.pdf
    • https://cdn.shopify.com/s/files/1/0433/7693/5068/files/11699769726.pdf
    • https://cdn.shopify.com/s/files/1/0431/8697/8984/files/jotilomu.pdf
    • https://cdn.shopify.com/s/files/1/0434/7687/7478/files/asus_crashfree_bios_3.pdf
    • https://cdn.shopify.com/s/files/1/0459/9808/0157/files/foladoxibaxujorip.pdf
    • https://cdn.shopify.com/s/files/1/0429/6019/1637/files/monster_hunter_stories_3ds_rom.pdf
    • https://cdn.shopify.com/s/files/1/0432/5467/7662/files/detobofodejibijap.pdf
    • https://cdn.shopify.com/s/files/1/0432/1355/3827/files/cambridge_international_as_and_a_level_computer_science_coursebook.pdf
    • https://cdn.shopify.com/s/files/1/0428/2525/3023/files/creating_word_templates_in_sharepoint.pdf
    • https://cdn.shopify.com/s/files/1/0429/4384/0412/files/37982318547.pdf
    • https://cdn.shopify.com/s/files/1/0460/7862/3908/files/ielts_answer_sheet_listening_2017.pdf
    • https://cdn.shopify.com/s/files/1/0427/6341/9815/files/67479172582.pdf
    • https://cdn.shopify.com/s/files/1/0433/7808/1959/files/63972340355.pdf
    • https://cdn.shopify.com/s/files/1/0437/3449/9489/files/temperament_questionnaire.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050be.bin
cc9585298065a9d97f9a83c870c6a3a8391940f6f1a23baff07287b63c5c8401		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50BE 5000 bytes
font_01_sfnt_off000061d1.bin
9004c2e39e5fd932ec244e5fc5a3a128a801a984217d163655ee0909b716b9a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61D1 10016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.