Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6a4c1b63bab9a16…

MALICIOUS

PDF

44.6 KB Created: 2020-09-16 17:16:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00d944a57c60d626194d97662ff9efe7 SHA-1: bc895b785e77f766e54570aa39fc07750c673093 SHA-256: c6a4c1b63bab9a16b964155fb79584db004974a3de398676448021d7486d4cad
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains this URL and references 'cheat apk hungry shark', indicating a lure. The PDF also contains a mass external link farm, with many links hosted on shopify.com, suggesting a tactic to distribute malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=cheat+apk+hungry+shark
    • https://cdn.shopify.com/s/files/1/0428/4396/3548/files/35485654591.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pajakeveposemilakojataza.pdf
    • https://cdn.shopify.com/s/files/1/0433/3902/2494/files/whaff_mod_apk.pdf
    • https://cdn.shopify.com/s/files/1/0430/8205/5833/files/mezapizivoduvipenanog.pdf
    • https://8269bf9f-a54c-49fe-9c31-900e2dd0b5cf.filesusr.com/ugd/dcc11b_e2f6d18bb5b54a789105bc37a5cf957c.pdf?index=true
    • https://c46e530d-b21e-4b4b-a34f-647c9ad73c29.filesusr.com/ugd/735189_c0ec7dea54414bcf8072bb97ef273a4a.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0462/3997/3536/files/vikebelaberekolum.pdf
    • https://cdn.shopify.com/s/files/1/0482/6739/5236/files/32190078840.pdf
    • https://cdn.shopify.com/s/files/1/0434/0042/9731/files/rocefin_1g_im_bula.pdf
    • https://cdn.shopify.com/s/files/1/0428/5625/1555/files/55981277588.pdf
    • https://c669a215-2e96-40f1-8845-60b91b3cdb08.filesusr.com/ugd/cc14e4_7595c7cca8864aa89088f5600a00fecd.pdf?index=true
    • https://47a3c176-eb10-4ee7-8020-e2e811083bf7.filesusr.com/ugd/3bcfef_ef2bcfa7cdd24b0d8c49d48eb3dfb154.pdf?index=true
    • https://616c8f0e-b1ce-4d86-9e7a-e8dd1064d0d5.filesusr.com/ugd/9cfd0a_34bf62e667d24ddeb0387d4396d076d1.pdf?index=true
    • https://6f2a3e62-8287-42b6-809b-c84334d9dc61.filesusr.com/ugd/35c6e2_2059b52814764830a4fa6d03ab5a600d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070eb.bin
def90ba835e206547b4a5c4dfc0ab04a6b318c06c888deac30479571045249c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70EB 5120 bytes
font_01_sfnt_off00008257.bin
4d7d336f2640b35cbe71bd8a928afe4f9915a3cf3bb277d35dac682da5a35d55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8257 10260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.