Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9a33a8259e00597…

MALICIOUS

PDF

44.6 KB Created: 2020-07-31 11:06:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1ade5748f763e6aaef01aadcb3dbc5f SHA-1: c060b34f4546d9bcf0cddefd6f8be753c80ab858 SHA-256: a9a33a8259e00597286899036ab806770e0cc4bbaf3b122aa55888e7d7e48b86
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is designed to lead users to further malicious content. The document body, though heavily obfuscated, suggests a lure related to educational worksheets. The presence of a large number of external PDF links, many hosted on Shopify, indicates a link farm strategy to improve search engine visibility for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=graphing+and+data+analysis+worksheet+pdf
    • http://files.vivalavisa.net/uploads/1/3/2/6/132695416/312b8be1a88c.pdf
    • http://files.mariealohalanibrown.com/uploads/1/3/1/4/131411539/sidomeme-fazenopap-nizafelu-tutufojevi.pdf
    • http://files.misoagogo.com/uploads/1/3/2/3/132302872/1342527.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51191810805.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lasuzopaxikabade.pdf
    • https://cdn.shopify.com/s/files/1/0429/5560/4134/files/zesikewokolobofapenuti.pdf
    • https://cdn.shopify.com/s/files/1/0439/1275/7400/files/ronuvonewalami.pdf
    • https://cdn.shopify.com/s/files/1/0431/6318/9412/files/78607003178.pdf
    • https://cdn.shopify.com/s/files/1/0433/8129/3221/files/sakufupavimemapaxoware.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mirizopenifipometetotagoz.pdf
    • https://cdn.shopify.com/s/files/1/0432/5670/9273/files/veruf.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/runuwadobona.pdf
    • https://cdn.shopify.com/s/files/1/0433/8463/5544/files/rekufitoxesunixewoxen.pdf
    • https://cdn.shopify.com/s/files/1/0430/8919/9268/files/xewin.pdf
    • https://cdn.shopify.com/s/files/1/0434/1438/8888/files/telowowewimuwodibilukuw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/file

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007002.bin
e94006cde0eeab0883a4034edbe42ac05e3fefa41c928aa0c64c09cd8f81626b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7002 5380 bytes
font_01_sfnt_off00008260.bin
d4131d513a2d77f9f4ad5fd10cdeab978e2c2854520f00d0b6f7339975fd4876		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8260 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.