Malicious PDF — malware analysis report

Static analysis result for SHA-256 e143eb76032ef31c…

MALICIOUS

PDF

36.4 KB Created: 2020-08-29 01:18:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00727aba6addddfa9f7e1e6e6fecd810 SHA-1: dba11cab3bddf1ffbd27527643904bdecc681b7f SHA-256: e143eb76032ef31cfb8e5ae8d01fa578dc2ad049a4992cb0546ca8fc720d0520
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs. The document body, though heavily obfuscated, contains the malicious URL, suggesting an attempt to disguise the malicious intent with a seemingly educational topic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=merriam+webster+visual+dictionary+pd
    • https://cdn.shopify.com/s/files/1/0435/8979/5998/files/tizalesokagaf.pdf
    • https://cdn.shopify.com/s/files/1/0433/7706/6145/files/libro_cerebrito_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0430/7219/2669/files/laporan_pendahuluan_asma_2017.pdf
    • https://cdn.shopify.com/s/files/1/0432/9095/1846/files/63762480163.pdf
    • https://cdn.shopify.com/s/files/1/0427/8976/5279/files/45024209283.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/44411244229.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ae7500b4a6e419fb4371d4f923e6e19.pdf
    • https://static.usrfiles.com/ugd/b8c837_d9c5191d22f84a9d969b58805b3a69d4.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f9e051fc1024cb1a83a812d439373db.pdf
    • https://static.usrfiles.com/ugd/b8c837_1380a990398f4b83bc1111e9664366e4.pdf
    • https://static.usrfiles.com/ugd/b8c837_b65c760b31a648a095036790a0873184.pdf
    • https://static.usrfiles.com/ugd/b8c837_9b6a671e68074d0092aa7839ba5754c4.pdf
    • https://static.usrfiles.com/ugd/b8c837_805e221dfd6a40e4951b39cd64c7af27.pdf
    • https://static.usrfiles.com/ugd/b8c837_4d6ffe30a6784d7c9db0aa693134c622.pdf
    • https://static.usrfiles.com/ugd/b8c837_2556911f02764007aacff729e7e70393.pdf
    • https://static.usrfiles.com/ugd/b8c837_d307585f8fdc43e7ab79e7c39acc6d58.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004df9.bin
49be860579710dbf1e8abc320bf247b3576db5878369e5455f3531fb5cdbeba1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DF9 5620 bytes
font_01_sfnt_off00006117.bin
a507c50f11885860e71a4f3df2c8cfd5c935c3c4d7a733ba370d77d08a72064c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6117 10740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.