Malicious PDF — malware analysis report

Static analysis result for SHA-256 b20c428dac4f1939…

MALICIOUS

PDF

35.1 KB Created: 2020-08-19 10:05:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8e20c8b68a9c6f5e2992f94d88377fc SHA-1: 586677af735e65a5416ba9dde194b8ee94bffe2b SHA-256: b20c428dac4f193950c59aa5e6c01a7e095999342027e3d286ffb83d9c75ec48
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a known malicious domain, ttraff.com, with a keyword suggesting a lure related to a disciplinary hearing outcome report. The PDF also contains a large number of embedded links, many pointing to Shopify domains, which is characteristic of SEO link farm techniques used to obscure malicious activity. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack vector appears to be social engineering via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=disciplinary+hearing+outcome+report+template
    • http://files.seaofqihealing.com/uploads/1/3/2/8/132815123/7518686.pdf
    • http://gipolug.stjohnsmag.com/uploads/1/3/0/7/130739718/vuvikarup.pdf
    • https://cdn.shopify.com/s/files/1/0432/2482/6014/files/70571563030.pdf
    • https://cdn.shopify.com/s/files/1/0431/7410/1160/files/diganik.pdf
    • https://cdn.shopify.com/s/files/1/0437/1437/9930/files/55744055501.pdf
    • https://cdn.shopify.com/s/files/1/0435/9405/5843/files/viwam.pdf
    • https://cdn.shopify.com/s/files/1/0438/3670/2870/files/music_paradise_pro_version_1._0.pdf
    • https://cdn.shopify.com/s/files/1/0438/0796/5345/files/pdf_booklet_printing_margins.pdf
    • https://cdn.shopify.com/s/files/1/0430/5181/0969/files/72265215715.pdf
    • https://cdn.shopify.com/s/files/1/0456/9146/9983/files/logo_quiz_answers_level_7.pdf
    • https://cdn.shopify.com/s/files/1/0432/4183/2615/files/81177282763.pdf
    • https://cdn.shopify.com/s/files/1/0438/4296/1570/files/berkhof_systematic_theology.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b20.bin
49b922ffb25ed3708ef5a8f735a7647fc0f50538ce721a88159a08a3eef35a0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B20 5448 bytes
font_01_sfnt_off00005d7d.bin
bbbcc151462f02ab546e4df9e4638b080f52389c84c7fd5214464fe1a2059ce4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D7D 9916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.