Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5665688d09a9849…

MALICIOUS

PDF

48.7 KB Created: 2020-08-09 05:55:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c1ff89193ae0bc407f15e73b80ba0489 SHA-1: d401837b9b1277d382694a94922c6221e27f8744 SHA-256: e5665688d09a98499e1da391698196226e10825ce815918c1ae51a69c1054747
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is designed to lure users into clicking on further links. The document body and embedded links suggest a phishing attempt, likely to deliver a second-stage payload or lead to credential harvesting. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm used for SEO poisoning or to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=forms+of+breach+of+contract+pdf
    • http://files.mrseichhornsvirtualclassroom.com/uploads/1/3/2/6/132695531/xinubadog.pdf
    • http://files.4-ucorp.com/uploads/1/3/0/7/130739567/7385382.pdf
    • http://files.lorenzomasnah.com/uploads/1/3/1/1/131164402/da562e836cd0a.pdf
    • http://viruf.silverwoodplantation.net/uploads/1/3/1/6/131636725/linuvimakikijire.pdf
    • https://cdn.shopify.com/s/files/1/0432/7990/9017/files/26746647760.pdf
    • https://cdn.shopify.com/s/files/1/0431/2032/8853/files/xudoxarusifeba.pdf
    • https://cdn.shopify.com/s/files/1/0431/6112/5025/files/types_of_computer_virus.pdf
    • https://cdn.shopify.com/s/files/1/0437/0091/2278/files/wujetu.pdf
    • https://cdn.shopify.com/s/files/1/0435/3998/8648/files/gubejuvanuwefisigunep.pdf
    • https://cdn.shopify.com/s/files/1/0437/8938/5885/files/manual_biologie_clasa_11_cd_press.pdf
    • https://cdn.shopify.com/s/files/1/0437/7640/9751/files/behringer_xr16_manual.pdf
    • https://cdn.shopify.com/s/files/1/0429/3538/6265/files/gufavoviwumapug.pdf
    • https://cdn.shopify.com/s/files/1/0444/4323/8567/files/ielts_writing_task_1_band_descriptors_public_version.pdf
    • https://cdn.shopify.com/s/files/1/0432/9914/3838/files/43709794492.pdf
    • https://cdn.shopify.com/s/files/1/0430/5597/2505/files/winaw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008007.bin
f75dd654c0c49b48cf62448e3c62d6b3c3fe940fc3737c2dbcf5d2038afb0a8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8007 5460 bytes
font_01_sfnt_off00009264.bin
556593d4f17307e076b3f3d8cbc76dd17a319d329fe9c0d9f0001903548834a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9264 10472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.