Malicious PDF — malware analysis report

Static analysis result for SHA-256 e765d68369eff9a9…

MALICIOUS

PDF

39.4 KB Created: 2020-07-24 13:51:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 036eede5406d2303780cbf0b1d85dd47 SHA-1: 093bf4b8152f234c74713c4b2154516d9799926b SHA-256: e765d68369eff9a97630f1de24cf2d07a2da16924f17ef63e8fb480a61edf216
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with a critical heuristic identifying a malicious redirector at 'ttraff.com'. The document body, though heavily obfuscated, contains keywords related to sheet music, suggesting a lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy to distribute malicious content. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=jealous+labrinth+sheet+music+free
    • http://files.setonmiraclemiles.com/uploads/1/3/1/6/131636990/af6c589f5ac6d5e.pdf
    • http://files.jenlasheroriginals.com/uploads/1/3/2/6/132682813/sutirudewove-xomukarezoveg-zigazezex-kigawone.pdf
    • http://files.jerkyjerkyfresno.com/uploads/1/3/1/8/131856446/85e326d1e5.pdf
    • http://files.tinafrancis.net/uploads/1/3/0/8/130814749/nizanusiwil-lesafab.pdf
    • http://files.newmorningacu.com/uploads/1/3/2/6/132680994/vonejojobofel.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/84712881745.pdf
    • https://cdn.shopify.com/s/files/1/0428/6241/1935/files/26623815043.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xoxolesusoziviro.pdf
    • https://cdn.shopify.com/s/files/1/0434/2136/8482/files/kofofup.pdf
    • https://cdn.shopify.com/s/files/1/0432/1912/4382/files/91868946153.pdf
    • https://cdn.shopify.com/s/files/1/0434/9201/6280/files/gukigugowedakukofun.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6849/files/70412840475.pdf
    • https://cdn.shopify.com/s/files/1/0429/7667/3946/files/xoritilenajive.pdf
    • https://cdn.shopify.com/s/files/1/0430/2356/4957/files/xaposakutufe.pdf
    • https://cdn.shopify.com/s/files/1/0433/8620/8406/files/fidenazopaf.pdf
    • https://cdn.shopify.com/s/files/1/0434/4276/5991/files/xatabipajoda.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xoxole

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005be2.bin
c7604cf1ce83297473b898c95c43b8ec190cf1d17c9ed662b4e894dd17768f58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE2 5132 bytes
font_01_sfnt_off00006d22.bin
e061126a621481cfb4281e2e7bb6987d391f0af2087beda33477c32368bddb29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D22 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.