Malicious PDF — malware analysis report

Static analysis result for SHA-256 df4d63a8e17b8c5d…

MALICIOUS

PDF

41.1 KB Created: 2020-08-02 07:31:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3fd121ef31d5fcacab5711bcd931f0c SHA-1: 071fc33a61cb52829519caece7f86aabf1c1a6bb SHA-256: df4d63a8e17b8c5d7962ce3e8b0954a106e2b33101090c88e5cb40ad08a2bb2b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as a "Speed queen parts manual". The document also hosts a large number of links to other PDFs, likely for SEO manipulation to improve the ranking of the malicious redirector. The ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=speed+queen+parts+manual
    • http://files.goproremovals.co.uk/uploads/1/3/1/3/131379671/wodibobebol.pdf
    • http://files.valeriegriffinrece.com/uploads/1/3/1/4/131452958/7149590.pdf
    • http://files.cancermessedwiththewrongfamily.com/uploads/1/3/1/1/131164202/7fee43.pdf
    • http://files.stamellstring.com/uploads/1/3/0/9/130969984/4003678.pdf
    • http://files.herrimanhighchoirs.org/uploads/1/3/1/8/131871642/9583670.pdf
    • https://cdn.shopify.com/s/files/1/0434/3149/3784/files/90699349955.pdf
    • https://cdn.shopify.com/s/files/1/0435/9494/0573/files/34360505160.pdf
    • https://cdn.shopify.com/s/files/1/0427/6148/6503/files/sutonisevimumomanulid.pdf
    • https://cdn.shopify.com/s/files/1/0435/1095/6196/files/podizefaxanujebufoso.pdf
    • https://cdn.shopify.com/s/files/1/0435/4444/5092/files/cathay_pacific_fanfares.pdf
    • https://cdn.shopify.com/s/files/1/0437/6172/9685/files/48898237645.pdf
    • https://cdn.shopify.com/s/files/1/0431/6394/3067/files/javascript_go_back.pdf
    • https://cdn.shopify.com/s/files/1/0431/3877/7249/files/nilaguwakurewitavixe.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30151397197.pdf
    • https://cdn.shopify.com/s/files/1/0427/4978/8327/files/32447437383.pdf
    • https://cdn.shopify.com/s/files/1/0428/5969/2198/files/15761141563.pdf
    • https://cdn.shopify.com/s/files/1/0428/1594/6911/files/kixowozo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d4a.bin
7e59b811fd64dac72b4c46035f48610dce048c12c9d56ac9666477026d64b020		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D4A 5336 bytes
font_01_sfnt_off00006f4e.bin
9d40964234070c01a230adc7433d3e5aad568155f1740706a89559ad23d8b24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F4E 12788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.