Malicious PDF — malware analysis report

Static analysis result for SHA-256 e950cc836d94327a…

MALICIOUS

PDF

40.7 KB Created: 2020-09-01 12:10:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 013811cd75fb53b597926bb24cb2974e SHA-1: 6f844edf7af56a543e20d5ee8aae95c4deea0db2 SHA-256: e950cc836d94327abf15b036b505b5d2537e5d265dfc79c503dfdc635017931c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as a guide for the game Runescape. This indicates a social engineering attempt to lure users to malicious infrastructure. The PDF also contains a large number of embedded links, many pointing to Shopify, which is characteristic of SEO spam or link farm techniques used to distribute malicious content. No scripts were extracted, but the presence of the malicious redirector and the SEO link farm strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=runescape+2007+barrows+pure+guide
    • https://cdn.shopify.com/s/files/1/0435/2750/4024/files/4727012393.pdf
    • https://cdn.shopify.com/s/files/1/0432/7007/8617/files/84457134702.pdf
    • https://cdn.shopify.com/s/files/1/0435/9654/6216/files/search_inside_windows.pdf
    • https://cdn.shopify.com/s/files/1/0429/6821/9799/files/75647625771.pdf
    • https://cdn.shopify.com/s/files/1/0461/9400/0023/files/lexmark_c544dn_manual.pdf
    • https://static.usrfiles.com/ugd/51c472_276894b0dd504c72908b2379c38674bd.pdf
    • https://static.usrfiles.com/ugd/db1da1_4fd956206a9b44259cb504dd150de4a3.pdf
    • https://static.usrfiles.com/ugd/90423f_f4d2ce7c1cc34cf2b89826b6e3e6c474.pdf
    • https://static.usrfiles.com/ugd/b8c837_607fbfb1d5f645238b825f8f09e0339f.pdf
    • https://static.usrfiles.com/ugd/b3bc21_9192ff8b5911453c99d829e84d8e6fa8.pdf
    • https://static.usrfiles.com/ugd/b8c837_bd283b680f7540edaa1e482e831b5bc9.pdf
    • https://static.usrfiles.com/ugd/9b33c5_9d51ee19cd5146f1b08aeaaaa15b7037.pdf
    • https://static.usrfiles.com/ugd/43d598_3e1887915287470da77e2c26969f97c5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fae.bin
3bdfc0343de78791324327ff8e115b4095bcd26afec0790818712328f37c184a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FAE 5804 bytes
font_01_sfnt_off00007399.bin
e4be222bbe3fae2b706870ef05fc6f9faca9ab791d05a700ed900d19e0ceb68d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7399 10104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.