Malicious PDF — malware analysis report

Static analysis result for SHA-256 c52e69c9bca6479a…

MALICIOUS

PDF

29.5 KB Created: 2020-07-10 12:06:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2337387b7e207b29480f1d72a616d378 SHA-1: 177239ffdf54a5834c693a0ddc52e91143d29982 SHA-256: c52e69c9bca6479a6a99927dd1372c4de98c42872ca89e3f34b9b6f5a892acd0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with multiple URLs pointing to various PDF files hosted on different domains. One prominent URL, 'https://ttraff.com/wb?keyword=how%20to%20use%20pdf.js%20viewer', is identified as a malicious redirector. The ML classifier also flagged this PDF with high confidence. The presence of these links suggests a phishing or redirection attack designed to lead users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=how%20to%20use%20pdf.js%20viewer
    • http://files.gatewayhoundclub.com/uploads/1/3/1/0/131070612/37fb2f54b71.pdf
    • http://files.thegullyshop.com/uploads/1/3/2/6/132682042/ca76e734292208b.pdf
    • http://files.mtrageserllc.com/uploads/1/3/0/8/130814644/5008098.pdf
    • http://files.roxysloclashnbrowbar.com/uploads/1/3/1/3/131380024/dotujovejojowojiv.pdf
    • http://files.eratoalakiozidou.com/uploads/1/3/2/7/132740618/5c6b0d960aeede.pdf
    • http://files.kivacharter.org/uploads/1/3/1/6/131637374/4cb411c.pdf
    • http://files.gilliantorckler.com/uploads/1/3/0/8/130874629/gomenevidi-kinepowa-xasokipa-xupuzateseroji.pdf
    • http://files.projectufo.org/uploads/1/3/0/7/130739381/4877757.pdf
    • http://files.frankiegardiner.com/uploads/1/3/0/7/130740127/8397813.pdf
    • http://files.casa-collective.com/uploads/1/3/2/6/132680932/lijeji-nujesenukijur-pavaru.pdf
    • http://files.estellessweetitchblankets.com/uploads/1/3/1/4/131409170/tixavaxanepuluxuvit.pdf
    • https://kebepewavako.files.wordpress.com/2020/07/xudiwumaleri.pdf
    • https://wabofik.files.wordpress.com/2020/07/jizujaxepamolitilojuno.pdf
    • https://gezuduropen419134146.files.wordpress.com/2020/07/xoxoxedod.pdf
    • https://reginefu.files.wordpress.com/2020/06/39655639223.pdf
    • https://xipewatataz458399044.files.wordpress.com/2020/06/31540013671.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rumifagekesodurelakalon.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/15125842299.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dusegu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kevaziretojigadogikoranab.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/64830269039.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/buxidumex.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wajumibuxup.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.