Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0441e7cab409e3d…

MALICIOUS

PDF

41.9 KB Created: 2020-09-04 13:18:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0418be2f2cd5938a630a15101838b62e SHA-1: 42f902cebd2cfb979306717fb9e3dba981634353 SHA-256: c0441e7cab409e3d602451baf8a6fb753d8cfacaeb3d5227ae28d9831aca5bf8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=camera360+old+version+apk'. This indicates a social engineering attempt to trick users into visiting a malicious site. The document body, though heavily obfuscated, contains the same URL and a reference to 'Camera360 old version apk', reinforcing the lure. The presence of a large number of embedded PDF links, many pointing to Shopify domains, suggests a link farm used for SEO poisoning or to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=camera360+old+version+apk
    • https://cdn.shopify.com/s/files/1/0432/4058/7423/files/value_proposition_canvas_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/23342697578.pdf
    • https://cdn.shopify.com/s/files/1/0437/2362/0503/files/11801594437.pdf
    • https://cdn.shopify.com/s/files/1/0432/9439/2485/files/46146775713.pdf
    • https://static.usrfiles.com/ugd/87d215_432d00de798042f4b7f85193b54d878c.pdf
    • https://static.usrfiles.com/ugd/de3d83_0d66eb9b52514166bb184412fb2512c5.pdf
    • https://static.usrfiles.com/ugd/f967ac_5ec15a84ccdf4670bf2fecad4fc16df2.pdf
    • https://static.usrfiles.com/ugd/b8c837_1e95c97eab8c4b959e761f0896d246b4.pdf
    • https://static.usrfiles.com/ugd/625844_bed4109b4d1e4570a6dd76e888030f93.pdf
    • https://static.usrfiles.com/ugd/06497e_fd8c332bd5bf479282473c11d9752a5b.pdf
    • https://cdn.shopify.com/s/files/1/0440/0765/3526/files/2938058240.pdf
    • https://cdn.shopify.com/s/files/1/0434/7923/6760/files/wukudesozurugiwowufad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059b9.bin
6f6c5a8fb5e62cfd2b6ff76f758e0f05a98695d5bac735cd019a42cb5e5649ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59B9 2952 bytes
font_01_sfnt_off00006446.bin
234b38a1bef50f5097faed95d0815ea03064b92810f9f084d4ba6a20a5006121		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6446 5592 bytes
font_02_sfnt_off0000772c.bin
bd8d0cba4e3cf1e06b6dda94924932511c49bb52f43b8d3dab1a3c0f9ad3e3ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x772C 10424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.