Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac1ac24d7a615b5a…

MALICIOUS

PDF

66.6 KB Created: 2020-08-25 15:56:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc30a2e23a874779f5eb46db2c58a0b4 SHA-1: e96e7f0de6f0c8fdaafa0f24912ee18ce1f566e3 SHA-256: ac1ac24d7a615b5a3ee1c9e241eb1c226206117303423d2c3d023a96f675c358
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is likely used to obscure the final malicious destination. The document body, though heavily obfuscated, contains text related to an 'injury report' and the malicious URL, suggesting a lure. The presence of a large number of embedded links, many pointing to Shopify domains, indicates a link farm strategy, likely to improve SEO for malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ellsbury+injury+report
    • http://posux.ironstormcorp.com/uploads/1/3/1/6/131606156/nagurimolazipu-fadox-guzobiga.pdf
    • http://files.acupunctureworkswonders.com/uploads/1/3/1/4/131437249/malavozitapuvala.pdf
    • http://gaxowasip.pvenw.org/uploads/1/3/1/6/131636974/1698444.pdf
    • http://files.leadershipcentersw.org/uploads/1/3/2/6/132681783/26e5ba1e83c570.pdf
    • https://cdn.shopify.com/s/files/1/0433/1231/6584/files/69323309473.pdf
    • https://cdn.shopify.com/s/files/1/0439/1036/5339/files/44480709639.pdf
    • https://cdn.shopify.com/s/files/1/0435/4041/4615/files/23649162275.pdf
    • https://cdn.shopify.com/s/files/1/0437/0792/4635/files/dd_form_93.pdf
    • https://cdn.shopify.com/s/files/1/0427/4618/3847/files/bexava.pdf
    • https://cdn.shopify.com/s/files/1/0449/9534/6590/files/electric_bicycle_design.pdf
    • https://cdn.shopify.com/s/files/1/0433/9010/7815/files/69205667503.pdf
    • https://cdn.shopify.com/s/files/1/0431/0866/3457/files/23114662859.pdf
    • https://cdn.shopify.com/s/files/1/0434/7356/7894/files/html_link_to_page.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c633.bin
c9723fdaa9c4508670051ff6f4757a1780ce8e6f01f3b8f586bf40797144492a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC633 4876 bytes
font_01_sfnt_off0000d6dd.bin
4fd6541981b521624b7a54354b8a1133020ec697512fa734c90b768a73df295b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6DD 11344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.