Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdb96a568b79243b…

MALICIOUS

PDF

41.1 KB Created: 2020-08-31 04:52:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b670f8ed322b73a919ebe1b93d301d7e SHA-1: 4882408b23bb21202d4ccd98722d0dc6e6d3ccf3 SHA-256: bdb96a568b79243b268921388985bb3e8c17bc662dec38255d29f44d3f33aefc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One of the primary links, https://ttraff.cc/wix?keyword=captain+shivers+guide, is flagged as a malicious redirector. This suggests the document is designed to direct users to malicious infrastructure, likely for further exploitation or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=captain+shivers+guide
    • https://cdn.shopify.com/s/files/1/0432/2351/5300/files/nugijabeda.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pafinekumukomotutawewokab.pdf
    • https://cdn.shopify.com/s/files/1/0433/8126/0440/files/god_bless_america_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0428/7981/1750/files/lupaniguferakuk.pdf
    • https://cdn.shopify.com/s/files/1/0432/9432/6939/files/78412178822.pdf
    • https://cdn.shopify.com/s/files/1/0434/2756/1634/files/58943976638.pdf
    • https://static.usrfiles.com/ugd/9904c2_a5c561d86ef5429ea36b7acc60268c1d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ea41ad8af7544b85a84fa16b69343393.pdf
    • https://static.usrfiles.com/ugd/6d59ab_b1b8779350ea42e8bcf454144719ab97.pdf
    • https://static.usrfiles.com/ugd/b8c837_9109b88c05074a64ba9531a98d372619.pdf
    • https://cdn.shopify.com/s/files/1/0440/7400/8741/files/73577147158.pdf
    • https://cdn.shopify.com/s/files/1/0438/0141/1744/files/80492059926.pdf
    • https://cdn.shopify.com/s/files/1/0429/9925/1093/files/10946408113.pdf
    • https://cdn.shopify.com/s/files/1/0435/8209/5519/files/43964724844.pdf
    • https://cdn.shopify.com/s/files/1/0448/6434/0130/files/brightcove_supported_video_formats.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0434/2756

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063d3.bin
4ad9ed9dedd01beb3c75b07c2a176074021d396f2e5fc3ec000950d8d38844db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63D3 5152 bytes
font_01_sfnt_off00007558.bin
b499a7b77fe6505d6fc28b09b6107bce7ab600e22c74bafdf680dd393388649f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7558 10008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.