Malicious PDF — malware analysis report

Static analysis result for SHA-256 d673d4e539055595…

MALICIOUS

PDF

44.1 KB Created: 2020-08-31 01:59:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ef2c76bb7d2135cae55e9773e25a6f1 SHA-1: cdc4062e26fd7e87cba37f610fe301392f9490c1 SHA-256: d673d4e539055595241c67d74b9fc4ded55434a816384f13b5978b21f20dd808
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a malicious redirector link disguised as a marketing management book. The link leads to `https://ttraff.cc/wix?keyword=livro+gest%25C3%25A3o+de+marketing`, which is flagged as malicious. The document also functions as a link farm, pointing to numerous other PDFs, likely to manipulate search engine results or distribute further malicious content. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=livro+gest%25C3%25A3o+de+marketing
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gipal.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7293/files/cash_flow_statement_in_tally.pdf
    • https://cdn.shopify.com/s/files/1/0434/3866/9976/files/51204972895.pdf
    • https://cdn.shopify.com/s/files/1/0435/3464/7445/files/manosixosodopabafekaxe.pdf
    • https://static.usrfiles.com/ugd/b8c837_8e04610e10ff46a4b195ffd7d0581162.pdf
    • https://static.usrfiles.com/ugd/451461_9c9dd8c4bf814412b912eae67ec31273.pdf
    • https://static.usrfiles.com/ugd/b11f6d_27658c80102e43cea722eed829fda0d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_06205787d8f742418bc3961336617df3.pdf
    • https://static.usrfiles.com/ugd/b8c837_e3438c9ce42e43fda0f973d6262c13d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_d72b41df5afd49369f67247cd0d2f3fa.pdf
    • https://static.usrfiles.com/ugd/cafc24_89ce293858484bc7b1f86d9487b4613c.pdf
    • https://static.usrfiles.com/ugd/3e87bf_475b5de15c3348d2a9ee9650547bf4e9.pdf
    • https://static.usrfiles.com/ugd/0f5b72_b9cdcdae5a4c40419c23b67442c8b205.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000689a.bin
1bb1db902be1e7f16ece9a5b0fa96d66dbda41629d8d333fb61d845dc9a9898f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x689A 5496 bytes
font_01_sfnt_off00007ab5.bin
9f1e7b5fc53b6a28142a5f9e798924bdc0a5318a6ead3bdb495dd497e287ca88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AB5 12860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.