Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae81a143c85825c8…

MALICIOUS

PDF

51.1 KB Created: 2020-09-14 08:30:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00978adedb3fa60b55b7061f97a70045 SHA-1: f338353a95d670a1f8629cbba7c971e705a4d013 SHA-256: ae81a143c85825c801a41770cb7d9c723d5ed955ce23fd75a889ee1edf2a62a6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large link farm. The primary malicious URL identified is https://ttraff.me/wix?keyword=is+the+journal+of+the+two+sisters+cannon, which likely serves as a lure or initial stage for a phishing attack. The document body contains garbled text but also includes the malicious URL and a benign-looking Shopify URL, suggesting an attempt to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=is+the+journal+of+the+two+sisters+cannon
    • http://files.eftcatherine.com/uploads/1/3/1/4/131438784/mazonufisoniw_gazal_wikodipaxebuvel.pdf
    • http://files.quintessencesilk.com/uploads/1/3/1/4/131437378/kedelazesubu_lanoduxiko_gonumo.pdf
    • http://fitutasez.sharonlasalle.com/uploads/1/3/0/8/130814328/6351637.pdf
    • http://files.roamingcic.com/uploads/1/3/1/4/131454216/2551030.pdf
    • http://labab.stephcookpt.com/uploads/1/3/1/3/131398394/58b29.pdf
    • http://files.snobz.co/uploads/1/3/1/1/131164211/f64bd17e636.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6849/files/19240347696.pdf
    • https://cdn.shopify.com/s/files/1/0429/8833/9354/files/93261788820.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/72905654063.pdf
    • https://cdn.shopify.com/s/files/1/0483/8696/5672/files/root_apps_apk_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0433/7342/8890/files/vegerulupegiwawigonujen.pdf
    • https://cdn.shopify.com/s/files/1/0430/4211/1637/files/behavioral_skills_training.pdf
    • https://cdn.shopify.com/s/files/1/0430/0180/7007/files/30666903021.pdf
    • https://cdn.shopify.com/s/files/1/0429/0582/9532/files/86633114716.pdf
    • https://cdn.shopify.com/s/files/1/0433/9128/7452/files/mr_bean_movie_in_tamil_hd.pdf
    • https://cdn.shopify.com/s/files/1/0439/4424/7451/files/4832560293.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008a41.bin
7985b53ef341b60967632dd8755102deea176845dec8a64578431fed8968dbec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A41 5072 bytes
font_01_sfnt_off00009b95.bin
8820ab370b12199cb089c230f2bbd642f786f85e384b022a3ed82a19b406a23b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B95 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.