Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2d83a6d9dec4477…

MALICIOUS

PDF

31.6 KB Created: 2020-09-01 23:16:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be5c9f2e1efd3a6f46577a1362939416 SHA-1: 2e0b867d3e26600fcbf8ff1572e381bf8959c073 SHA-256: b2d83a6d9dec447729936849af6a39efc9f3e4f5a8ceb3994485636b2668f347
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with the primary malicious link pointing to a redirector at 'ttraff.club'. This redirector is likely used to obscure the final destination, which could be a phishing page or a download site. The document body, though partially corrupted, contains text related to 'Lippo group annual report 2017', suggesting a lure to disguise the malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=lippo+group+annual+report+2017
    • https://cdn.shopify.com/s/files/1/0429/2493/3283/files/momifurimezogor.pdf
    • https://cdn.shopify.com/s/files/1/0431/2724/2906/files/google_chrome_for_windows_xp_offline.pdf
    • https://cdn.shopify.com/s/files/1/0429/1543/0553/files/artistry_ideal_radiance_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0440/1322/4094/files/devezegub.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kepikopu.pdf
    • https://cdn.shopify.com/s/files/1/0434/3355/8168/files/bolted_joint_engineering.pdf
    • https://cdn.shopify.com/s/files/1/0431/6826/8456/files/95773397894.pdf
    • https://cdn.shopify.com/s/files/1/0431/4251/2802/files/58135692859.pdf
    • https://static.usrfiles.com/ugd/b8c837_2fbaa83ccf6542bd8792aaad004e0829.pdf
    • https://static.usrfiles.com/ugd/097bd5_b9aa7ee4351041fbb50ad434f6ab96c8.pdf
    • https://static.usrfiles.com/ugd/b8c837_c339c8983be644e3b4c99bf180b96e90.pdf
    • https://static.usrfiles.com/ugd/b8c837_32fe25f75ec94347bb927212096f365a.pdf
    • https://static.usrfiles.com/ugd/850f07_67a3658707f34939b6ccfbd2e189d94b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000403d.bin
a627df8cb65a767a8d13d44887efda39916a5b1fa7a82c9938c6279f2606f7cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x403D 5156 bytes
font_01_sfnt_off000051e8.bin
428d2fd746fbae9085ab6018bbe78aa2c9e22063409396eb1a14bd4f0bcca34a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51E8 9408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.