Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbe4d7e968a00330…

MALICIOUS

PDF

43.8 KB Created: 2020-08-30 08:42:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c0b5d0cca37d4616e094f2ba862df80f SHA-1: a6b4c5a79e84519d2cbbaa399b5a02820276e1d8 SHA-256: cbe4d7e968a00330d721b724708d93dc735a144f6eb3681c5ca1cf27dbc70ff6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is ttraff.me, which is likely used to redirect users to a phishing or malware site. The document body, though heavily obfuscated, contains the same URL, suggesting it's the intended destination. No scripts were extracted, limiting the analysis of direct payload execution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=histoire+de+la+logistique
    • https://cdn.shopify.com/s/files/1/0431/0758/2106/files/industrial_revolution_inventions_list.pdf
    • https://cdn.shopify.com/s/files/1/0457/9200/2204/files/apple_google_play_store.pdf
    • https://cdn.shopify.com/s/files/1/0428/4514/3207/files/seveselifomujoxufawi.pdf
    • https://cdn.shopify.com/s/files/1/0465/4917/2382/files/akashic_records_light_novel.pdf
    • https://cdn.shopify.com/s/files/1/0430/9801/3845/files/63835796211.pdf
    • https://cdn.shopify.com/s/files/1/0428/2325/4179/files/54597283353.pdf
    • https://static.usrfiles.com/ugd/67e251_828c9161dc52401394bd51a6bd273b82.pdf
    • https://static.usrfiles.com/ugd/b8c837_8642fb330a784758b48b2f0409f352f2.pdf
    • https://cdn.shopify.com/s/files/1/0431/8484/9045/files/classical_mechanics_leonard_susskind.pdf
    • https://cdn.shopify.com/s/files/1/0430/6737/5777/files/robotivolesexo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/f

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000694d.bin
5267be0c60b568a07493c7013e36b537d33d4a6c31311ee16e958368fb9203e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x694D 5080 bytes
font_01_sfnt_off00007a89.bin
ba736d494a3e14d39889041f817f48050fa1edca3ef981f7e7ad01c5ac7b955d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A89 12288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.