Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5a5d18a1a1989ad…

MALICIOUS

PDF

85.6 KB Created: 2020-09-07 15:27:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b7126741b8fb50e65538b6d8c76253d SHA-1: 14bfd52c55ea1afb99d23eb3778477e25878a93f SHA-256: c5a5d18a1a1989ad5ad77f12ac43809acbde4a83768d7fc5d5b7288469390467
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/pify?keyword=transformers+arcee+and+jack'. This indicates the document's primary purpose is to lure the user to a potentially harmful external site. The presence of a PDF link farm heuristic further supports this, suggesting a broad distribution attempt. While no scripts were extracted, the embedded URL is sufficient evidence for a malicious redirector attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=transformers+arcee+and+jack
    • https://cdn.shopify.com/s/files/1/0465/8354/6023/files/pink_panther_theme_song_free_downloa.pdf
    • https://cdn.shopify.com/s/files/1/0428/5107/4214/files/semilexapiwave.pdf
    • https://cdn.shopify.com/s/files/1/0433/8145/7061/files/38265885762.pdf
    • https://cdn.shopify.com/s/files/1/0433/9928/2845/files/twinmotion_2016_requisitos.pdf
    • https://cdn.shopify.com/s/files/1/0439/3975/8235/files/34419134577.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/91025233068.pdf
    • https://cdn.shopify.com/s/files/1/0439/3864/4123/files/jazeze.pdf
    • https://static.usrfiles.com/ugd/b8c837_68914df9eb4a44ecb18c928ff4647439.pdf
    • https://static.usrfiles.com/ugd/418e76_4df9f7dd44a4465cb84d7ff594091a86.pdf
    • https://static.usrfiles.com/ugd/0dcf4b_6eae8f8c8adc481fa4ddf2efcebd686d.pdf
    • https://static.usrfiles.com/ugd/917232_f4638b7011cc46d8a424f0c33a808d41.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000114c7.bin
89001cb0852b3fd0f1829a925ecc8c116d89406f8d8b7e54ab08ab7632316d7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114C7 5224 bytes
font_01_sfnt_off00012678.bin
ab61b08f39eabb783799b5867e0548608b93ab96f8c227fd6f9ac6aee61efc50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12678 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.