Malicious PDF — malware analysis report

Static analysis result for SHA-256 abaa471bcc6e1f4e…

MALICIOUS

PDF

48.4 KB Created: 2020-09-01 07:26:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aae7e3b627214c8a6716c96c105b3b92 SHA-1: f8ba9fb602931bf85eddf22f03cc6a88b0dc4daa SHA-256: abaa471bcc6e1f4e04f89792a5d88cc0aa8235b83cefb4d0bc0b19d537c9dd6f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high density of external links, many pointing to Shopify domains, suggesting a link farm for SEO manipulation. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used in conjunction with a keyword related to tour guides. This indicates a phishing or scam attempt designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=accredited+tour+guide+in+baguio+city
    • https://cdn.shopify.com/s/files/1/0428/4288/2215/files/78265818995.pdf
    • https://cdn.shopify.com/s/files/1/0434/0593/4757/files/sizutidutetir.pdf
    • https://cdn.shopify.com/s/files/1/0433/8994/3975/files/guitar_chords_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/5625/1555/files/51085689142.pdf
    • https://cdn.shopify.com/s/files/1/0437/3839/8869/files/89952240787.pdf
    • https://cdn.shopify.com/s/files/1/0431/1531/5351/files/vermeer_sc252_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/8344/0030/files/23780424891.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/22271122494.pdf
    • https://cdn.shopify.com/s/files/1/0431/7731/2405/files/sedona_10_day_forecast.pdf
    • https://cdn.shopify.com/s/files/1/0431/6463/1195/files/fabisumiv.pdf
    • https://cdn.shopify.com/s/files/1/0432/3213/3278/files/tuduw.pdf
    • https://static.usrfiles.com/ugd/b8c837_854ccda3cc304d0586db2b2da9a270c3.pdf
    • https://static.usrfiles.com/ugd/b8c837_497dc99242c144dbba8b873bab2c1a97.pdf
    • https://static.usrfiles.com/ugd/18f527_801cf0a747054319956500e620dbd3af.pdf
    • https://static.usrfiles.com/ugd/b8c837_fff7a2b6cdc04b4a86919b16fa7089a6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006332.bin
b3e194f5fe5ce56598b8ab2e2db8a23c92a5016a25c8f041ae8c2ef541d88786		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6332 5128 bytes
font_01_sfnt_off000074c2.bin
155b48642029e90b301ab32822fda463c34a8494cb9f996f3c2223992d9f3e93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74C2 10256 bytes
font_02_sfnt_off00009810.bin
23d8d1ca2e36ba7525a2a15c8cd53f82e3e44ef056afc87ae45f8df7445084e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9810 18104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.