Malicious PDF — malware analysis report

Static analysis result for SHA-256 c68eb41f6d910804…

MALICIOUS

PDF

47.2 KB Created: 2020-09-11 11:31:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aafd5293c92ecbc0f981410502bfc75b SHA-1: d4027fe85f4b3ad68128b14a4457ecc27df3d51f SHA-256: c68eb41f6d910804c6d5d31a106ce7245a3c8eb55241fd493024755c1cca2ce5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=bose+headphones+wireless+manual'. The document body, though heavily obfuscated, appears to contain similar text, reinforcing the lure. The presence of numerous external PDF links, many hosted on shopify.com, suggests a link farm or SEO poisoning tactic to distribute the malicious PDF. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=bose+headphones+wireless+manual
    • http://files.brooklandplace.com/uploads/1/3/1/6/131606397/b70c7edb2ce.pdf
    • https://cdn.shopify.com/s/files/1/0434/4394/5628/files/gixemunazutalejuz.pdf
    • https://cdn.shopify.com/s/files/1/0430/3205/1873/files/94681941597.pdf
    • https://cdn.shopify.com/s/files/1/0427/8799/5807/files/40651302221.pdf
    • https://static.usrfiles.com/ugd/b8bbd7_e9a359f1a55c419b9c19d957d4d02dc5.pdf
    • https://static.usrfiles.com/ugd/daca0d_c2aec76676a04949a092a5f932547ce0.pdf
    • https://cdn.shopify.com/s/files/1/0438/1461/7250/files/manualidades_de_papel.pdf
    • https://cdn.shopify.com/s/files/1/0472/3146/7685/files/aboriginal_art_symbols_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0447/1685/1356/files/wogojazixo.pdf
    • https://cdn.shopify.com/s/files/1/0430/3768/7962/files/disejutozuwafutujumojabu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bb2.bin
fdfba5baeaffd04d8011fc5f9444e5f027fd06377efc97962f06fe54707bc1f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BB2 5340 bytes
font_01_sfnt_off00008dc1.bin
1e0000a5265ce6d4e8d0418187bf1cc0d5cbeff7fb21b0c31b0e95d12ca528d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DC1 10228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.