Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca7cb5116c84d475…

MALICIOUS

PDF

85.6 KB Created: 2020-09-08 16:41:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b269f5289933df66698896f7bb3ed570 SHA-1: 718af8f75335c7b9acc5b56c89517d08589642d7 SHA-256: ca7cb5116c84d475d4c974cac9e2d967dde213bc7d5cb280989e48f35ef7966e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged for containing a malicious redirector link and a large number of external links, suggesting a link farm. The primary malicious URL identified is 'https://ttraff.link/wix?keyword=atorvastatin+drug+form'. The document body contains garbled text but includes the same URL, reinforcing its malicious nature. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=atorvastatin+drug+form
    • https://cdn.shopify.com/s/files/1/0441/3220/4696/files/dashboard_template_github.pdf
    • https://cdn.shopify.com/s/files/1/0433/8758/4661/files/56345546411.pdf
    • https://cdn.shopify.com/s/files/1/0437/1018/5621/files/pebulowojuvipaliseximegix.pdf
    • https://static.usrfiles.com/ugd/b8c837_6fab0fb2f8284ee8a177317f2dddbf43.pdf
    • https://static.usrfiles.com/ugd/6846fe_4e29b413c2644dfba002a7597555a054.pdf
    • https://static.usrfiles.com/ugd/b8c837_22b63078c113456380a9961e3a46eb28.pdf
    • https://cdn.shopify.com/s/files/1/0434/1566/6849/files/50655962493.pdf
    • https://cdn.shopify.com/s/files/1/0432/5618/4992/files/nepimezezivap.pdf
    • https://cdn.shopify.com/s/files/1/0431/5627/5362/files/monamep.pdf
    • https://cdn.shopify.com/s/files/1/0437/9744/6818/files/liredimarebotexozamin.pdf
    • https://cdn.shopify.com/s/files/1/0434/7104/4770/files/16582995047.pdf
    • https://cdn.shopify.com/s/files/1/0438/4469/8272/files/54705737372.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000105e4.bin
ace83c9485bcad8dbaaf10a44cfc7ccc8cca86d1eda64e2a5e46fb251e44f2a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105E4 5244 bytes
font_01_sfnt_off000117b0.bin
5c8d4e9cee373105de288a26e260aa0a229f1f43976402740dceb5602302c3b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117B0 15920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.