Malicious PDF — malware analysis report

Static analysis result for SHA-256 a64a571e6f9a3ad4…

MALICIOUS

PDF

39.9 KB Created: 2020-08-29 16:43:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3dfe64b034c712c8e6bfb151604eae0 SHA-1: c59ef7587b7a87a17b5f4c14a933cab95d00f9eb SHA-256: a64a571e6f9a3ad408144e06dd734aa9a142f244d81535a502b9a61c72a9a5ca
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.cc'. The document body also contains the text 'Adobe audition presets download' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of numerous external PDF links, many pointing to benign Shopify domains, indicates a link farm strategy, likely for SEO manipulation or to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=adobe+audition+presets+download
    • https://cdn.shopify.com/s/files/1/0439/0282/8699/files/pdf_viewer_for_google_drive.pdf
    • https://cdn.shopify.com/s/files/1/0431/1924/7514/files/2184589845.pdf
    • https://cdn.shopify.com/s/files/1/0433/0147/0366/files/compare_and_contrast_print_and_broadcast_media.pdf
    • https://cdn.shopify.com/s/files/1/0434/2156/5084/files/bnp_paribas_securities_services_luxembourg_annual_report.pdf
    • https://cdn.shopify.com/s/files/1/0447/3815/0549/files/star_wars_aftermath_empire_s_end.pdf
    • https://cdn.shopify.com/s/files/1/0428/5015/6700/files/free_animasi_power_point_bergerak.pdf
    • https://cdn.shopify.com/s/files/1/0430/6668/7642/files/65778830173.pdf
    • https://cdn.shopify.com/s/files/1/0433/5114/6650/files/89341992689.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/62114329075.pdf
    • https://cdn.shopify.com/s/files/1/0431/5476/8021/files/29984195002.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gefoviliruvowej.pdf
    • https://static.usrfiles.com/ugd/b8c837_d1cf448b6cbc46a68b31134152d4f845.pdf
    • https://static.usrfiles.com/ugd/b8bbd7_9f5c7a6fd5414ff494f0b188ed5a45cf.pdf
    • https://static.usrfiles.com/ugd/b8c837_6366e65a4a3b459eb9fa0198f48752ea.pdf
    • https://static.usrfiles.com/ugd/b8c837_9ab8d2e2da394f6191214d53b1402e32.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c38.bin
5d64c588bb0f3975a4db7351f8c54660152b150dc4ebfd6b7d7d45e7e9b1d2b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C38 5176 bytes
font_01_sfnt_off00006de4.bin
7b9cc18893522200523dc6ff52ffd88e7f8dd3b3041880a953bcec4bf2d25d8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DE4 10456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.