Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1bbd56ae0ef34de…

MALICIOUS

PDF

40.3 KB Created: 2020-08-18 13:19:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2b127615bdd43146ba37043214b0e85 SHA-1: 4ca01fe8ded2e753a7655d6ed7f7ffaf1621cd52 SHA-256: d1bbd56ae0ef34de82102cf3eab083d9cb9d67146d5cabf1a2e7b608bb4ae36e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link redirects to a known malicious domain, ttraff.com. This suggests a link farm or SEO poisoning tactic to distribute malicious content. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern involves luring users to click the malicious redirector URL, which likely leads to further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=gcf+and+lcm+worksheet+with+answers+pdf
    • http://files.chrysalisbody.com/uploads/1/3/0/8/130814121/8cf76d4a9c8e806.pdf
    • https://cdn.shopify.com/s/files/1/0428/0143/0695/files/java_tutorial_tutorialspoint_free.pdf
    • https://cdn.shopify.com/s/files/1/0437/4167/5685/files/nogebapuwun.pdf
    • https://cdn.shopify.com/s/files/1/0436/8180/8549/files/social_media_addiction_articles.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tagesagebog.pdf
    • https://cdn.shopify.com/s/files/1/0428/1267/0111/files/bivelakopimulupagimosulat.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/23313492251.pdf
    • https://cdn.shopify.com/s/files/1/0450/9014/4421/files/59277216422.pdf
    • https://cdn.shopify.com/s/files/1/0430/3486/9921/files/las_brujas_de_san_petersburgo.pdf
    • https://cdn.shopify.com/s/files/1/0430/8199/0293/files/trumpet_fingering_chart.pdf
    • https://cdn.shopify.com/s/files/1/0431/2737/3986/files/3680127919.pdf
    • https://cdn.shopify.com/s/files/1/0441/1038/1208/files/introduction_to_modern_astrophysics_carroll.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f87.bin
16e23cac37dfa6b2379e0696b87d3b53c1058f89ff4bc1fb61a7e323a287dcfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F87 5584 bytes
font_01_sfnt_off0000726c.bin
27b28d0743f7c135e1c69c3575711719444266a8069a56e4d9c7b7f718384546		 pdf-font-stream PDF embedded font (sfnt) at offset 0x726C 9992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.