Malicious PDF — malware analysis report

Static analysis result for SHA-256 deb6e7a0a91c2f01…

MALICIOUS

PDF

56.6 KB Created: 2020-07-24 16:50:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9fb68b0feec4349365042175461e1a29 SHA-1: 376abb8551f2927223d2281a2c42a33124b25a29 SHA-256: deb6e7a0a91c2f010d5ddbea1cd4d25a457ec35192030086233e9c898b522870
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is ttraff.com, which is used in conjunction with a keyword related to piano tabs to disguise the malicious intent. The document body, though heavily obfuscated, appears to contain metadata related to the PDF's creation, further supporting the idea that the content itself is a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=fur+elise+piano+tab+pdf
    • http://files.pathhomewa.com/uploads/1/3/0/7/130775245/3806079.pdf
    • http://files.ka-bloomgroup.com/uploads/1/3/1/1/131164519/3791987.pdf
    • http://files.shilandsujitarts.com/uploads/1/3/0/7/130775197/minutonameme.pdf
    • http://files.ka-bloomgroup.com/uploads/1/3/1/1/131164519
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gomejalubewetilukifij.pdf
    • https://cdn.shopify.com/s/files/1/0431/7573/9553/files/56818391001.pdf
    • https://cdn.shopify.com/s/files/1/0429/6137/1290/files/26327867574.pdf
    • https://cdn.shopify.com/s/files/1/0428/0696/8483/files/muxutufigiraxarix.pdf
    • https://cdn.shopify.com/s/files/1/0431/1416/8480/files/24875306593.pdf
    • https://cdn.shopify.com/s/files/1/0432/8180/9558/files/bivujewejotexikisururulev.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78394199391.pdf
    • https://cdn.shopify.com/s/files/1/0429/9925/1093/files/5346919281.pdf
    • https://cdn.shopify.com/s/files/1/0432/2322/0392/files/93719217228.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ff1.bin
849a7d204edf155133fa1e973d13eaef24418b918d1aac54e6d69cb9beea359e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FF1 5012 bytes
font_01_sfnt_off000080f6.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80F6 1800 bytes
font_02_sfnt_off00008983.bin
cae820985bdec2696ea06e38cb18a791702f94346fc04dedb6faa3aa191d801e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8983 16632 bytes
font_03_sfnt_off0000bdc9.bin
46d9b83afd797048ab251ddfc9ca9a6db44f3280724c231f6a80a061bcc6fc12		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBDC9 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.