Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab9522f954e9cf4f…

MALICIOUS

PDF

41.7 KB Created: 2020-08-30 14:39:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00bee21479f149837fb05d84a30d3ce5 SHA-1: 5e5d2d8ce52d52acf4a474bfdd56d47aaa32e945 SHA-256: ab9522f954e9cf4f2bb4cb6684f40518688b0dfe442571c4fd2544d0165c4e23
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a prominent link disguised as a download for 'Fwtool dsi download'. This link, https://ttraff.cc/wix?keyword=fwtool+dsi+download, is flagged as a malicious redirector. The document's structure and embedded links suggest a phishing or social engineering attempt to redirect the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=fwtool+dsi+download
    • https://static.usrfiles.com/ugd/b8c837_ba2eaa1b68bf47669681f49f3c753994.pdf
    • https://static.usrfiles.com/ugd/b8c837_4e879196731f4fcd8f61cb0a8b758c74.pdf
    • https://static.usrfiles.com/ugd/b8c837_4890071b2bbf4314940612ace5b2b058.pdf
    • https://static.usrfiles.com/ugd/3ce946_c24c3482a6df4f02a0a6d9a0412dcc7f.pdf
    • https://cdn.shopify.com/s/files/1/0433/7208/5397/files/ralikonenidawufena.pdf
    • https://cdn.shopify.com/s/files/1/0430/8231/7991/files/aspiration_pneumonia_in_pediatrics.pdf
    • https://cdn.shopify.com/s/files/1/0434/5207/2086/files/juvisona.pdf
    • https://cdn.shopify.com/s/files/1/0433/8660/1635/files/48090598800.pdf
    • https://cdn.shopify.com/s/files/1/0438/5737/9488/files/74805054765.pdf
    • https://static.usrfiles.com/ugd/b8c837_bd761afde9dc46d5aa79391bae547ccc.pdf
    • https://static.usrfiles.com/ugd/8127dd_7783b9671a2d4766a21a1dcb009258fe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/88075317933.pdf
    • https://cdn.shopify.com/s/files/1/0437/1664/0923/files/xivebimexozurojamesuwedu.pdf
    • https://cdn.shopify.com/s/files/1/0432/9675/1774/files/niduniboxuruxuzutedige.pdf
    • https://cdn.shopify.com/s/files/1/0434/9935/6324/files/99651449808.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065c4.bin
d533f50ef6da6f1e16a52ad6c18466565f4915921ddd141139f2e9b1407aee49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C4 4768 bytes
font_01_sfnt_off0000761e.bin
b4dc432ae7f4f5c63a92a97db44d418a771b548fdc3d5c0319287bb166e16db7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x761E 10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.