Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8781063e3ca0de5…

MALICIOUS

PDF

55.6 KB Created: 2020-08-21 20:45:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b145e5764addbb3583f36453a9c28d28 SHA-1: a3c834e4a05c71473a20fcc15e1dd2f7351b0f26 SHA-256: c8781063e3ca0de5def927a17a3bde11cea39407e8106b934de425cb99ff1af4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on Shopify. The document body, though heavily obfuscated, contains the same malicious URL. The primary attack pattern involves luring users to this malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=phrases+and+clauses+exercises+worksheets
    • http://files.healingrootshypnotherapy.com/uploads/1/3/0/8/130815277/mubitagimerutalil.pdf
    • http://tibor.olivetreeyoga.net/uploads/1/3/2/6/132682883/moxoza_guzumasuduge_bemolunoj.pdf
    • http://files.vidlersautomotive.com/uploads/1/3/1/6/131636642/5cc768459.pdf
    • http://tekeje.gonzaleschc.org/uploads/1/3/1/3/131380213/f11db.pdf
    • https://cdn.shopify.com/s/files/1/0437/5173/5448/files/58546100243.pdf
    • https://cdn.shopify.com/s/files/1/0464/6214/0568/files/sowuretiviri.pdf
    • https://cdn.shopify.com/s/files/1/0434/1733/8005/files/principios_da_astrologia_vedica.pdf
    • https://cdn.shopify.com/s/files/1/0437/3548/2529/files/calendario_ottobre_2020.pdf
    • https://cdn.shopify.com/s/files/1/0464/8842/0520/files/15856606552.pdf
    • https://cdn.shopify.com/s/files/1/0429/0949/9558/files/75452448514.pdf
    • https://cdn.shopify.com/s/files/1/0430/7664/9121/files/38703142758.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gumatuzonew.pdf
    • https://cdn.shopify.com/s/files/1/0432/0506/6913/files/29356269690.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008309.bin
4aba2bb845853324476be69e5ed1bf4ff35002942389efac2b843cac1129f0e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8309 2828 bytes
font_01_sfnt_off00008d04.bin
13112e6b07320aee9a2e1690ea42c6f1e13d201e39d0978e638dc61ab691a9ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D04 5132 bytes
font_02_sfnt_off00009e78.bin
ed4f6d4ba04c43d66c719de4ac4dc8a0eda482cbd9d57af949d2cb953c4e6bca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E78 10104 bytes
font_03_sfnt_off0000c0c9.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0C9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.