Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa017c2d57da1222…

MALICIOUS

PDF

55.8 KB Created: 2020-08-07 15:01:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c27dde428a0715c5c211284291858baa SHA-1: 00b5f02b99fbc8a3e3692ac3fe4b3d3a1c18fbd2 SHA-256: aa017c2d57da122267b2f39d8d595b64da6e943a42b4870d78b85eb1bb8f17d1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, disguised as a musical score. This indicates a phishing or malware delivery attempt. The ML classifier strongly supports the malicious nature of the PDF. The document body, though heavily obfuscated, contains the malicious URL and appears to be generated by wkhtmltopdf, a tool sometimes used to create malicious documents.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=concierto+de+aranjuez+adagio+solo+guitar+pdf
    • http://files.andfewyue.com/uploads/1/3/0/7/130740573/7586061.pdf
    • http://files.californiasun.co/uploads/1/3/0/7/130739174/6d8d53e.pdf
    • http://zajed.bvswband.org/uploads/1/3/2/7/132740214/6749016.pdf
    • https://cdn.shopify.com/s/files/1/0430/2376/1571/files/2018_dodge_journey_owner_s_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/6956/2266/files/boticario_catalogo.pdf
    • https://cdn.shopify.com/s/files/1/0438/3778/4224/files/97632123304.pdf
    • https://cdn.shopify.com/s/files/1/0430/7002/9975/files/38727631560.pdf
    • https://cdn.shopify.com/s/files/1/0437/7152/7325/files/pajibopabome.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/golizikedakumeru.pdf
    • https://cdn.shopify.com/s/files/1/0433/5462/0054/files/jacquees_feel_it_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/5382/5704/files/luzekotenimirudis.pdf
    • https://cdn.shopify.com/s/files/1/0431/1423/4013/files/towizawesuke.pdf
    • https://cdn.shopify.com/s/files/1/0430/7854/9665/files/54234577399.pdf
    • https://cdn.shopify.com/s/files/1/0430/7179/9449/files/17418382406.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000084f0.bin
010b9be4870117cbcf67f351849fa337907e59b77045b279b3e5d3c77d4eb2c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84F0 5356 bytes
font_01_sfnt_off00009744.bin
4a2cc3da448ac5332f8e5278ef4965acd29d659bab90e2f0dcce2dc1a1f96cf0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9744 11412 bytes
font_02_sfnt_off0000bc72.bin
73e2bae015806fcbcea00a5e77fef36cf57312733aebee32ba98308b5ce41d75		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC72 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.