Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1aca2a20016434e…

MALICIOUS

PDF

38.0 KB Created: 2020-08-22 19:17:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b083844740c0a450b6197f412c1cdfe9 SHA-1: 483f5ec4d54af843ee7d4eb44cac7151cb13792c SHA-256: d1aca2a20016434edb1a57ed3859e0e1a96f55a7af6a0e7992f2bf3f5789722c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to ttraff.com. The document body, though heavily obfuscated, contains text related to 'Movie tv guide brisbane' and the malicious URL. The presence of numerous embedded PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to distribute the malicious content. The primary intent appears to be redirecting users to malicious infrastructure via the ttraff.com URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=movie+tv+guide+brisbane
    • http://files.kil-n-it.com/uploads/1/3/1/4/131437312/kamawixexaritalo.pdf
    • https://cdn.shopify.com/s/files/1/0433/2843/8440/files/pugofupagifadamepow.pdf
    • https://cdn.shopify.com/s/files/1/0433/0110/9920/files/91520450781.pdf
    • https://cdn.shopify.com/s/files/1/0431/1724/8672/files/89325083540.pdf
    • https://cdn.shopify.com/s/files/1/0431/0489/5143/files/48937277174.pdf
    • https://cdn.shopify.com/s/files/1/0434/9529/3094/files/ctet_answer_key_december_2020.pdf
    • https://cdn.shopify.com/s/files/1/0436/6349/1222/files/dotezamav.pdf
    • https://cdn.shopify.com/s/files/1/0432/8279/2606/files/beulah_land_guitar_chords.pdf
    • https://cdn.shopify.com/s/files/1/0435/0840/0280/files/kudetidasuzikubenile.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/55079075607.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057c1.bin
634eb4140d40802d55f05696a4ab733715c625a840dd68a1c4fb23d784e4eecd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57C1 5164 bytes
font_01_sfnt_off0000696e.bin
c9f588adc6bed25270e816eb6b78db8968167b093c0e6c5e0bf9e7ecb4b18245		 pdf-font-stream PDF embedded font (sfnt) at offset 0x696E 10028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.