Malicious PDF — malware analysis report

Static analysis result for SHA-256 a609db0d6b7bf82c…

MALICIOUS

PDF

42.1 KB Created: 2020-08-31 15:28:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 986104ba1a165b6e39211fb87167b592 SHA-1: 698e8b5a617580e5e0b9f88876cc697abfa26eb3 SHA-256: a609db0d6b7bf82c0d96268ab96141a2e028683e61ed78e8a1b5d622f882170a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=guide+to+cisg+article+74'. This URL is likely used to direct users to a phishing page or a site hosting malware. The document also contains a large number of embedded links, many of which point to Shopify domains, suggesting a link farm or SEO poisoning tactic to obscure the malicious redirector. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=guide+to+cisg+article+74
    • https://static.usrfiles.com/ugd/09273f_ed96c6abc4b14e44a9e53c684d50d4bd.pdf
    • https://static.usrfiles.com/ugd/7f16bd_6d4c73df537e4ad099905d922b1ae0ad.pdf
    • https://static.usrfiles.com/ugd/72216b_95bb6c4b7eaa455da619f21566f09119.pdf
    • https://cdn.shopify.com/s/files/1/0429/8512/8099/files/mary_poppins_script.pdf
    • https://cdn.shopify.com/s/files/1/0430/3116/7137/files/rejenalosewi.pdf
    • https://cdn.shopify.com/s/files/1/0437/9561/1810/files/concrete_form_tube.pdf
    • https://cdn.shopify.com/s/files/1/0431/8897/7813/files/84310254017.pdf
    • https://cdn.shopify.com/s/files/1/0440/0267/2798/files/dispute_hard_inquiries_on_credit_report.pdf
    • https://cdn.shopify.com/s/files/1/0443/6430/0444/files/developing_reading_skills.pdf
    • https://cdn.shopify.com/s/files/1/0436/8600/2843/files/55422480659.pdf
    • https://cdn.shopify.com/s/files/1/0439/4539/4331/files/curso_sobre_agricultura_biodinmica.pdf
    • https://cdn.shopify.com/s/files/1/0438/4745/0789/files/nidoxilezitarudikem.pdf
    • https://cdn.shopify.com/s/files/1/0428/8705/3471/files/hernando_county_schools_employment.pdf
    • https://cdn.shopify.com/s/files/1/0430/1278/4277/files/gevel.pdf
    • https://cdn.shopify.com/s/files/1/0433/3282/9342/files/rezurojusezisozodiwuv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006731.bin
c8a5172ac55de4b86f412858ef64d84f3ee0ec1aff9a5560c7bac45ffc5bde17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6731 5304 bytes
font_01_sfnt_off00007958.bin
0b1e721cfe0d34193584b4986a1df059f69db2bb9a9a400cb0d44d4f541b7514		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7958 10080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.