Malicious PDF — malware analysis report

Static analysis result for SHA-256 d286eda3808dd2f8…

MALICIOUS

PDF

55.9 KB Created: 2020-08-19 08:20:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00cc1d3ecb4e0c793b561c4f7da211e8 SHA-1: 73277126db973c5d07ec7199fe23ea561a0d9afd SHA-256: d286eda3808dd2f83a60ab0956cc93f65bcef1a2386d273e20321f8e2426064a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is likely used to obscure the final destination of the malicious payload. The document body contains garbled text but also includes the movie title 'Agent vinod movie' alongside the malicious URL, suggesting a lure. The presence of a large number of external PDF links, many hosted on Shopify, indicates a link farm SEO tactic to improve search engine ranking for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=agent+vinod+movie
    • http://files.splashyouth.org/uploads/1/3/0/8/130813645/8359236.pdf
    • http://zaluxe.verplanckfire.org/uploads/1/3/0/8/130873826/jafelaw-medol-xojelelulubol-timexu.pdf
    • https://cdn.shopify.com/s/files/1/0430/4207/8877/files/81128230468.pdf
    • https://cdn.shopify.com/s/files/1/0428/1679/8883/files/sunujipulaxuxigipoto.pdf
    • https://cdn.shopify.com/s/files/1/0446/6475/0243/files/associer_plusieurs_pages.pdf
    • https://cdn.shopify.com/s/files/1/0428/6133/0598/files/20964002032.pdf
    • https://cdn.shopify.com/s/files/1/0438/6249/1286/files/dumilumaxivogamu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/38935964995.pdf
    • https://cdn.shopify.com/s/files/1/0433/4675/5734/files/nagomapusubibavezov.pdf
    • https://cdn.shopify.com/s/files/1/0434/8785/4749/files/87606716547.pdf
    • https://cdn.shopify.com/s/files/1/0432/9917/6612/files/76243494432.pdf
    • https://cdn.shopify.com/s/files/1/0427/7728/0671/files/rivumokalogazifagajije.pdf
    • https://cdn.shopify.com/s/files/1/0430/5174/5442/files/33243808582.pdf
    • https://cdn.shopify.com/s/files/1/0431/7888/5280/files/98516290806.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008919.bin
f4be25308af571d95845b046a6b17a0f9bf760d9cd4be38cbb34e3d62bb039a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8919 4680 bytes
font_01_sfnt_off000098fe.bin
f5e2d56bb36c4d0d02618531fc1898cbddd6f443f924195e77dbd38ca77c6805		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98FE 10972 bytes
font_02_sfnt_off0000bdc8.bin
ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBDC8 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.