Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9d918052e404356…

MALICIOUS

PDF

56.7 KB Created: 2020-09-17 08:43:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c27759e731367e84a197dbef99dc9731 SHA-1: 1afed343c0ddc9f6245d122eeab0cfe7096edd16 SHA-256: c9d918052e404356ce138a7a4944b75b13f9513bd205b8893d1d8401cd141706
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. It also fires for PDF_SEO_LINK_FARM, suggesting a large number of embedded links, many of which point to external PDFs. The primary malicious URL identified is https://ttraff.me/wix?keyword=summoners+war+magic+shop+guide, which is likely part of a phishing or scam campaign. The document body, though heavily obfuscated, contains references to 'summoners war magic shop guide', reinforcing the lure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=summoners+war+magic+shop+guide
    • https://cdn.shopify.com/s/files/1/0439/4162/6011/files/anesthesia_and_analgesia_in_laboratory_animals.pdf
    • https://cdn.shopify.com/s/files/1/0429/7634/6266/files/10082075442.pdf
    • https://cdn.shopify.com/s/files/1/0434/5259/6390/files/zojir.pdf
    • https://cdn.shopify.com/s/files/1/0429/0609/1673/files/81158810454.pdf
    • https://cdn.shopify.com/s/files/1/0438/8493/7384/files/l_g_lpi_income_property_fund_factsheet.pdf
    • https://2657b5b5-a897-414b-8786-2c0e02b00615.filesusr.com/ugd/6924eb_6d8b0ca37b5249bf8e83e82652f3cc0c.pdf?index=true
    • https://41c01709-044b-4aeb-9ff0-b1f73c63cb59.filesusr.com/ugd/d13e1f_548f739b4ca64c0e9b3cb949af9c2337.pdf?index=true
    • https://0b31853f-2523-494d-8b6b-38e3159e2158.filesusr.com/ugd/cc3ca9_edd7494cf1414e8ba3c8bae666ab0bbd.pdf?index=true
    • https://01ba4484-fa54-4d8e-83eb-74aef0dae94d.filesusr.com/ugd/a4ea6c_3286253cbf8a4eb7aff2986e936435fe.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gamusuzojikifikukudubug.pdf
    • https://cdn.shopify.com/s/files/1/0433/1172/6750/files/tixominonevofobad.pdf
    • https://cdn.shopify.com/s/files/1/0433/7431/3633/files/7029332183.pdf
    • https://cdn.shopify.com/s/files/1/0431/9117/3277/files/widal_test_positive_report_sample.pdf
    • https://cdn.shopify.com/s/files/1/0431/1721/5905/files/sunivaboko.pdf
    • https://cdn.shopify.com/s/files/1/0428/4504/4892/files/engineering_circuit_analysis.pdf
    • https://cdn.shopify.com/s/files/1/0438/2703/6322/files/67261062957.pdf
    • https://cdn.shopify.com/s/files/1/0451/8638/4023/files/nadiraja.pdf
    • https://cdn.shopify.com/s/files/1/0428/0025/1036/files/gelimereb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b5e.bin
65e89eaa60ed0457cca3efaffc5be9d0dbc5763ecee4136fb5a7f02003ffdab8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B5E 5452 bytes
font_01_sfnt_off00008db2.bin
c84344852531539b1e59a0e8c48c9a3ca26b57194cc62edf0be11a2f6ff22790		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DB2 10540 bytes
font_02_sfnt_off0000b1e5.bin
2c5f1a2e3d9f683f6a217a47aeaaae813f7d4ef732a5ff54a929695507d09140		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1E5 16092 bytes
font_03_sfnt_off0000c6ab.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC6AB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.