Malicious PDF — malware analysis report

Static analysis result for SHA-256 c71ce9e9ee44074d…

MALICIOUS

PDF

42.3 KB Created: 2020-08-21 00:16:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 309071054b122224481c4b9ca29f39ea SHA-1: 4dfa2fe94e80f7b24ab3de214c210a722f0f003e SHA-256: c71ce9e9ee44074dd57f3de8176920af59a198b90470617f1d2d893fe193b7bd
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a direct link to a redirector URL, disguised with a "Scrum daily standup template" title. The ML classifier strongly flagged this PDF as malicious. The primary attack vector appears to be social engineering, directing users to malicious infrastructure via the ttraff.com URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=scrum+daily+standup+template
    • http://birika.jacketboosters.com/uploads/1/3/1/4/131453293/2015058.pdf
    • https://cdn.shopify.com/s/files/1/0427/4028/5607/files/68064428600.pdf
    • https://cdn.shopify.com/s/files/1/0429/7667/3946/files/62328266563.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xugufu.pdf
    • https://cdn.shopify.com/s/files/1/0431/2426/1026/files/15190307750.pdf
    • https://cdn.shopify.com/s/files/1/0432/6824/3624/files/zubutoxarafasu.pdf
    • https://cdn.shopify.com/s/files/1/0434/1566/6840/files/wibilexe.pdf
    • https://cdn.shopify.com/s/files/1/0430/0396/9689/files/juxixuxilamerupemozomime.pdf
    • https://cdn.shopify.com/s/files/1/0434/0586/9213/files/14839415417.pdf
    • https://cdn.shopify.com/s/files/1/0430/6485/2634/files/hurtta_adventure_sele_storleksguide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b8b.bin
f4f9803f5237e9f4852673c6ba1e946e47a37356e64619f75224863a23b7f310		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B8B 5424 bytes
font_01_sfnt_off00006ddb.bin
acbe51734454aff9212fca4511dd82dbfc6657021ced24416349fb029cf43992		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DDB 3232 bytes
font_02_sfnt_off00007ae5.bin
153230e51af87107a6155e5ae65f41fc865ac7e9aee5f802f54cf1d9c2d7fa52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AE5 9836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.