Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad22599f27a2c403…

MALICIOUS

PDF

51.4 KB Created: 2020-08-21 03:09:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9743c5775b2bc232bcac36f86e22bd1b SHA-1: 78c568ce8b04ac0c113689efab39bf6b5499c178 SHA-256: ad22599f27a2c4039bb6e198fe7f5e364f13f04968f3826683625605d6471a40
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as a game download. The PDF also features a link farm, a common tactic for SEO poisoning to attract unsuspecting users. The ML classifier strongly indicates maliciousness. No scripts were extracted, but the embedded URLs and the nature of the PDF content suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=drift+max+araba+yar%25C4%25B1%25C5%259F+oyunu+apk
    • http://tiginape.watercolorsbylana.com/uploads/1/3/0/8/130874232/bogogav.pdf
    • http://files.perforationsnetwork.com/uploads/1/3/1/8/131871602/jutoxinibusof_milakimekikari.pdf
    • http://files.shortattentionspanquilting.com/uploads/1/3/1/6/131637881/tidif.pdf
    • https://cdn.shopify.com/s/files/1/0430/7006/2754/files/61144253038.pdf
    • https://cdn.shopify.com/s/files/1/0431/6443/4583/files/69007411253.pdf
    • https://cdn.shopify.com/s/files/1/0432/5716/8027/files/45693967686.pdf
    • https://cdn.shopify.com/s/files/1/0431/7849/2062/files/54604366456.pdf
    • https://cdn.shopify.com/s/files/1/0437/9777/4497/files/tratamentos_para_deficincia_de_vitamina_b12.pdf
    • https://cdn.shopify.com/s/files/1/0428/7689/5388/files/libros_para_colorear_princesas_disney.pdf
    • https://cdn.shopify.com/s/files/1/0430/9732/5732/files/42366097380.pdf
    • https://cdn.shopify.com/s/files/1/0428/9350/8771/files/wowokaxuputizutapojelatof.pdf
    • https://cdn.shopify.com/s/files/1/0429/3630/3782/files/tenexukevinosuzenawavoda.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/99397771733.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065be.bin
bf3b5c947f36eca0ebafd34d37d33785d9fac0acd5dd84403372e8704ef1e4b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65BE 5488 bytes
font_01_sfnt_off0000785e.bin
132669dc907ffd6807dfe0fe7089d300984b3b361e6c2fcb622730731bd3453a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x785E 17160 bytes
font_02_sfnt_off0000a997.bin
e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA997 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.