Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3765205f3cbce70…

MALICIOUS

PDF

60.1 KB Created: 2020-08-31 01:51:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a04582abec3f85de706ac94404f2cbb1 SHA-1: fa7e055efcb4a8de51880bced13db2479027d859 SHA-256: e3765205f3cbce70d02d83bcb9675b92a89f1fd2db1fcc70cf83bd56195e8fbb
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=akasam+kindiki+vaste+naa+song'. The document body, though heavily obfuscated, contains this same URL, suggesting it is the primary lure. The file was generated by wkhtmltopdf, a tool often used to create malicious PDFs. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=akasam+kindiki+vaste+naa+song
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/2857609843.pdf
    • https://cdn.shopify.com/s/files/1/0433/6723/5742/files/71935411885.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tavolotifejenirogamofiv.pdf
    • https://cdn.shopify.com/s/files/1/0430/3385/4103/files/26851632832.pdf
    • https://cdn.shopify.com/s/files/1/0431/3225/6407/files/wozedonokufi.pdf
    • https://static.usrfiles.com/ugd/585b1d_66fc947ace1e4173ac4312237c8c14b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_11e581ef13624aa7a70b29450cc945d2.pdf
    • https://static.usrfiles.com/ugd/0d089b_24c861f4a9a2473fbca6dca4f98814ef.pdf
    • https://static.usrfiles.com/ugd/e745be_11090e681823481ca8de9e07ebd734a1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000641f.bin
df9c57e75ffac9d14ca8889c3e55fa61ab7f068d826100da902cbd43eafd38cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x641F 2972 bytes
font_01_sfnt_off00006ea1.bin
42688c04be219e551f113cab522a572959634f100f081a979a5df9f7278bb3ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EA1 5128 bytes
font_02_sfnt_off00008009.bin
6539b129c5cd894636dc8f40f53a156c00c8f46378ab4f137c96d687a1cff6ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8009 3720 bytes
font_03_sfnt_off00008b64.bin
6edd2dc65f8cc0d4bfc465674af3a6957927c9580e196fa1f2ecab0bfce717d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B64 2024 bytes
font_04_sfnt_off000094fb.bin
e385e78f921c2ff0f7c39770b46ba2f7a1ee3eb319eede787cd9fbf66ffcf4f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94FB 10356 bytes
font_05_sfnt_off0000b89d.bin
e1f08e4efe056de3015c7d18876897328b7fbfa5acceed8fb9c129083e8d6d10		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB89D 16600 bytes
font_06_sfnt_off0000cf6c.bin
7671ef4130718f4050199a48ec6fce9380a83a900c32dc8c58bf6a3a7575e07a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF6C 5136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.