Malicious PDF — malware analysis report

Static analysis result for SHA-256 d993b3074a9b1638…

MALICIOUS

PDF

37.3 KB Created: 2020-09-01 13:00:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 068a81203c56c472ca837abb1168df81 SHA-1: 56170af699577733eee175899fad00ac5a636db4 SHA-256: d993b3074a9b16381333e8b2e22826865d0d5ba9378fce8439e5ae06a394cb6e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, directing users to 'https://ttraff.cc/wix?keyword=polyvine+decorators+varnish+safety+data+sheet'. This URL is presented within the document body, disguised as a safety data sheet. The PDF also contains a link farm heuristic, indicating a large number of external links, many of which point to benign Shopify domains. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=polyvine+decorators+varnish+safety+data+sheet
    • https://static.usrfiles.com/ugd/1849a1_51a0bd250a8b4eb58886969892cfacb9.pdf
    • https://static.usrfiles.com/ugd/85d67f_4e315da39b12415d8f8fdba3bb9b5533.pdf
    • https://static.usrfiles.com/ugd/b8c837_68d2c8855b2a4a2b8bc2f4f02c9fc655.pdf
    • https://static.usrfiles.com/ugd/bd5c68_11d087e67dc34419908fcd3e0c301a03.pdf
    • https://static.usrfiles.com/ugd/51c472_e93fd316eb934e599692e45177ad0c8a.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa3f1faec73e480c94bc9a41c8222df8.pdf
    • https://cdn.shopify.com/s/files/1/0435/5194/8963/files/nomiwokipodozorodojaxibe.pdf
    • https://cdn.shopify.com/s/files/1/0428/0510/0707/files/pidonexaxijizive.pdf
    • https://cdn.shopify.com/s/files/1/0433/8037/5710/files/jojewetosedi.pdf
    • https://cdn.shopify.com/s/files/1/0429/9273/0275/files/fatenuriwadolam.pdf
    • https://cdn.shopify.com/s/files/1/0431/3779/4204/files/coulomb_s_law_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/5575/9006/files/witizibexivujirisotozaji.pdf
    • https://cdn.shopify.com/s/files/1/0432/5546/4104/files/35965160350.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054c5.bin
a6aa311ef542f2ae33dab4f5f73d565c1cd613f55847c597f56ffa95a2167282		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54C5 5272 bytes
font_01_sfnt_off000066b8.bin
7e379f5d2590197cbe993702802f29dc1ca2ed16cf3e1065b0ee367ef55df344		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66B8 9948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.