Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8de3927acd63d95…

MALICIOUS

PDF

45.1 KB Created: 2020-08-14 21:33:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be55fa97bc55f0a52c1db11f16540841 SHA-1: f3559e35c316c9a62e307767bf33caf59fabccd3 SHA-256: a8de3927acd63d95e0d5808405348a785a96d13045a5a88979e0c0f1f6ca6065
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains this URL and numerous other links, many hosted on Shopify, which is indicative of a link farm used for SEO poisoning or distributing malicious content. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern involves luring the user to the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=what%20is%20contrastive%20linguistics%20pdf
    • http://files.alyssamichele.com/uploads/1/3/1/0/131069766/aa5aff25f4.pdf
    • http://files.lavenderandslate.com/uploads/1/3/1/6/131636651/1671773.pdf
    • http://files.3brosdesigns.com/uploads/1/3/2/6/132681513/1508157.pdf
    • https://cdn.shopify.com/s/files/1/0433/3309/1480/files/appalachian_spring_score.pdf
    • https://cdn.shopify.com/s/files/1/0434/7111/0308/files/buruvotugorikuvezasaxo.pdf
    • https://cdn.shopify.com/s/files/1/0431/3343/6055/files/x_men_first_class_full_movie.pdf
    • https://cdn.shopify.com/s/files/1/0437/6972/5080/files/89632106962.pdf
    • https://cdn.shopify.com/s/files/1/0428/0962/2691/files/arrays_in_javascript.pdf
    • https://cdn.shopify.com/s/files/1/0430/7815/6449/files/torarolonatutik.pdf
    • https://cdn.shopify.com/s/files/1/0437/0032/2458/files/amiotrofia_diabtica.pdf
    • https://cdn.shopify.com/s/files/1/0433/6523/6886/files/napabonefipuvalapewefigek.pdf
    • https://cdn.shopify.com/s/files/1/0436/1859/9075/files/mass_air_flow_sensor_seminar_report.pdf
    • https://cdn.shopify.com/s/files/1/0434/1320/9246/files/refavepifogexazoderadewe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9635/9580/files/votovivatamo.pdf
    • https://cdn.shopify.com/s/files/1/0432/7096/3360/files/factores_psicologicos_en_la_adolescencia.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000712a.bin
1a21807f6f886501b3a67dd97ad1cf190b9d50e7562021a2e9ee56761c32b0eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x712A 5488 bytes
font_01_sfnt_off000083dd.bin
32a34a4af9133487984579eed71c1cfd15b7f9ec632473059f046dd6f2465df8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83DD 10600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.