Malicious PDF — malware analysis report

Static analysis result for SHA-256 c13c01a90a0d8578…

MALICIOUS

PDF

44.0 KB Created: 2020-08-27 14:28:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a704b3372280d296d1b4e30eab0e12a1 SHA-1: 49f4b2c1ce7faf1feda9bb87e93a3dbe878937f1 SHA-256: c13c01a90a0d857877d02a40b763642aac60c760c50254bbfb34f37ff619b502
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=nourishing+extract+monster+hunter+wo'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many pointing to Shopify domains. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack vector appears to be social engineering via a malicious link disguised within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=nourishing+extract+monster+hunter+wo
    • http://files.arabrams.com/uploads/1/3/1/4/131406659/afbc108fb0bd41.pdf
    • https://cdn.shopify.com/s/files/1/0432/3255/9263/files/long_to_wide_r.pdf
    • https://cdn.shopify.com/s/files/1/0430/8749/5321/files/70541357676.pdf
    • https://cdn.shopify.com/s/files/1/0431/3330/4986/files/sosodutetova.pdf
    • https://cdn.shopify.com/s/files/1/0430/5177/8202/files/fetojigadusefenokizem.pdf
    • https://cdn.shopify.com/s/files/1/0430/7966/3765/files/whirlpool_gold_dishwasher_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/7405/1493/files/61020731009.pdf
    • https://cdn.shopify.com/s/files/1/0440/1024/2198/files/girlfriends_guide_to_divorce_season_2_actors.pdf
    • https://cdn.shopify.com/s/files/1/0438/7730/2427/files/new_episode_of_louie.pdf
    • https://cdn.shopify.com/s/files/1/0430/6160/8599/files/realidades_1_capitulo_3a_answers.pdf
    • https://cdn.shopify.com/s/files/1/0429/2732/5343/files/aihw_report_cancer.pdf
    • https://cdn.shopify.com/s/files/1/0434/0734/3779/files/16983922192.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/88075317933.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057ea.bin
f2bd29b2b9cbf3f3a84ea5432f371cec4598a874096de71068eda53c6403b2ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57EA 5308 bytes
font_01_sfnt_off000069ee.bin
a149764174f2b52e7aef699965e58bab195f1b7bafe1203c42456b3bf62689b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69EE 10576 bytes
font_02_sfnt_off00008e53.bin
9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E53 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.