Malicious PDF — malware analysis report

Static analysis result for SHA-256 d80ed64afdafb338…

MALICIOUS

PDF

75.2 KB Created: 2020-09-11 09:57:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 028b88a43a5bdb85cc0f5ae5093000cc SHA-1: 8ee6334ea6ddb1a016c901cd09937c4609794960 SHA-256: d80ed64afdafb338bb7056b24b8518aecc3ee45c49a0719ffc2e85358db06da7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=dilutions+worksheet+w329'. This URL is likely used to redirect users to a malicious site for phishing or malware delivery. The document body, though heavily obfuscated, contains the same URL and appears to be generated by wkhtmltopdf, suggesting it was created programmatically to host links. The presence of numerous other PDF links, many pointing to Shopify, indicates a link farm strategy, likely to improve SEO for the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=dilutions+worksheet+w329
    • https://cdn.shopify.com/s/files/1/0433/8014/6339/files/5_guidelines_for_effective_communication.pdf
    • https://cdn.shopify.com/s/files/1/0430/4555/2290/files/sebiledexazona.pdf
    • https://cdn.shopify.com/s/files/1/0436/2102/3904/files/25839813449.pdf
    • https://cdn.shopify.com/s/files/1/0431/7537/9101/files/26158127619.pdf
    • https://cdn.shopify.com/s/files/1/0437/9534/9661/files/infeccion_por_adenovirus_en_nios.pdf
    • https://cdn.shopify.com/s/files/1/0449/2935/1835/files/mexoluxibuweguzotafudaju.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/94260126358.pdf
    • https://cdn.shopify.com/s/files/1/0433/0009/4112/files/css_position_absolute.pdf
    • https://cdn.shopify.com/s/files/1/0430/4017/8333/files/jafigoledufoki.pdf
    • https://cdn.shopify.com/s/files/1/0432/5241/6672/files/dojeraj.pdf
    • https://static.usrfiles.com/ugd/9904c2_a22ec3cec9a14caaa8fd21d85edf0e62.pdf
    • https://static.usrfiles.com/ugd/917232_f5720709b27a486783e1aec3d839121b.pdf
    • https://static.usrfiles.com/ugd/c450b2_7123e7c5011743fe83c6453c79f7eead.pdf
    • https://static.usrfiles.com/ugd/0049ca_0d0113ac52184a02aa1d5658db32a25b.pdf
    • https://static.usrfiles.com/ugd/1d3654_22e0157085404f1188f769bfdf96441d.pdf
    • https://static.usrfiles.com/ugd/2274a7_031d5b72d47d4816a8b212a029a84a01.pdf
    • https://static.usrfiles.com/ugd/764aaa_632a38f7ef1b4733ad6f8caf653da8c8.pdf
    • https://static.usrfiles.com/ugd/b85eb0_424edb7698df4a0199f1bf7d12211661.pdf
    • https://static.usrfiles.com/ugd/2e4eb4_8e519ac9a30c4242b14084e8f88dd3ca.pdf
    • https://static.usrfiles.com/ugd/a9248e_538e4f944a14430c83941cd3e531b086.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000defe.bin
dd7b880f1c6958317b71933e3175eb4154b1281d355b69180e4ce829e506ee21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDEFE 2828 bytes
font_01_sfnt_off0000e8f8.bin
40e0a2abb3e5ca3fdfe3dc5e5b359acd9389b60e662466606f22c43b825660cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8F8 5168 bytes
font_02_sfnt_off0000fa9a.bin
dd28dba46ad4d7fc94e634023b59aed57a380cdee60f930e7c62bcdf91552b9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA9A 10208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.