Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3c910760ee2dc29…

MALICIOUS

PDF

153.0 KB Created: 2020-09-17 09:42:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 004dc042795b993bb0ac063cd3e932f2 SHA-1: 192d7adb867a337eed3f52d40c76d45846d1db11 SHA-256: c3c910760ee2dc293c12260566933452ca05a104598083ac1a681400c757d3eb
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=castleton+mta+bus+depot'. An ML classifier also flagged the document with high confidence. The document body, though heavily obfuscated, contains the same malicious URL. This indicates the primary purpose is to lure the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=castleton+mta+bus+depot
    • http://sited.tnquarterhorsesales.com.au/uploads/1/3/1/1/131164112/wepabavebot.pdf
    • http://webofemag.gumshuzchin.com/uploads/1/3/2/6/132681885/dawokosi.pdf
    • https://cdn.shopify.com/s/files/1/0434/0308/3928/files/5764814093.pdf
    • https://cdn.shopify.com/s/files/1/0435/5863/3631/files/61547698284.pdf
    • https://cdn.shopify.com/s/files/1/0449/0684/0231/files/npt_tap_drill_sizes.pdf
    • https://cdn.shopify.com/s/files/1/0434/7779/4982/files/carbonate_sediments_and_rocks_under_the_microscope.pdf
    • https://cdn.shopify.com/s/files/1/0463/5338/3581/files/wii_motion_plus_remote.pdf
    • https://cdn.shopify.com/s/files/1/0437/6831/6055/files/15554853599.pdf
    • https://cdn.shopify.com/s/files/1/0432/0467/3697/files/tatozonularupemede.pdf
    • https://cdn.shopify.com/s/files/1/0440/0034/6270/files/22921784160.pdf
    • https://cdn.shopify.com/s/files/1/0432/6234/5384/files/rixunitadiletinegetirefi.pdf
    • https://cdn.shopify.com/s/files/1/0431/6459/8434/files/capteur_infrarouge.pdf
    • https://7d199173-479f-4975-b588-5059022baa3d.filesusr.com/ugd/97aff7_94885ebfb0864bb788e9bf8f96baed4e.pdf?index=true
    • https://a9a5e5f7-d9b5-488a-bc5a-d66ad6ab29da.filesusr.com/ugd/682d1c_9f6fd829ac85424f8897a84137e57dd6.pdf?index=true
    • https://0f713d39-b414-4eff-bedf-f69db2a7909b.filesusr.com/ugd/c83fdb_07eca63a99cb49b3845ca2a1cfc06e6f.pdf?index=true
    • https://7d939646-b393-464e-8622-1c32f64691ef.filesusr.com/ugd/78c764_8e53e42b8d1949f1b32b4df6f5ce92a8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000219cd.bin
d15dba93bf7fdc974e3ff77798cc7d57a67b85e73a045a1f6472b56d40b941ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x219CD 5056 bytes
font_01_sfnt_off00022ade.bin
6707d0f47c9dab06c3bab263fc6c26b5d90a952147e08c53b33db4be180d2979		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22ADE 13784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.