Malicious PDF — malware analysis report

Static analysis result for SHA-256 da7bbb2488e29663…

MALICIOUS

PDF

44.0 KB Created: 2020-08-08 15:46:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: acae71d68bdff5960292303e2d87e578 SHA-1: e73715f650a6d1b9440e0ce00836911d1aad244d SHA-256: da7bbb2488e2966357da0994f67d1630523c04d553ee9fc9ebb9973d169f5da5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The primary link directs to 'ttraff.com', which is flagged as malicious. Another heuristic indicates a PDF link farm, suggesting an attempt to manipulate search engine results or distribute malicious content. The document body, though heavily obfuscated, contains the malicious URL, reinforcing the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=water%20vapor%20pressure%20table%20pdf
    • http://files.dreid5codes.com/uploads/1/3/1/0/131071129/bd52f.pdf
    • http://files.scentdepotwellington.com/uploads/1/3/1/4/131437987/6925929.pdf
    • http://files.museumpak.com/uploads/1/3/0/9/130969915/monamukiwilizegi.pdf
    • https://cdn.shopify.com/s/files/1/0431/3179/7668/files/basic_java_programming_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0438/4076/6109/files/6082228327.pdf
    • https://cdn.shopify.com/s/files/1/0430/1769/9477/files/56865478659.pdf
    • https://cdn.shopify.com/s/files/1/0428/2885/7503/files/xojisosiseragidar.pdf
    • https://cdn.shopify.com/s/files/1/0435/6793/9743/files/9525886161.pdf
    • https://cdn.shopify.com/s/files/1/0430/3893/3146/files/68560559694.pdf
    • https://cdn.shopify.com/s/files/1/0454/5744/0926/files/abbyy_transformer_pro_3._0_full_crack.pdf
    • https://cdn.shopify.com/s/files/1/0428/6434/5247/files/2564416252.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/82191842179.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057b9.bin
227ff93df668d739bf544ba2b098f6ed37ce75b70622f8a5672928ebf2c1b794		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57B9 5248 bytes
font_01_sfnt_off000069ad.bin
bf63b6e68c23e3d958796163bd049e430f6841eaf8bce359a8c2c4837c6eebb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69AD 10776 bytes
font_02_sfnt_off00008eac.bin
9559dd1bd908241551916101fda3d445a26f5c4b506a1423f23393456f9d5940		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EAC 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.