Malicious PDF — malware analysis report

Static analysis result for SHA-256 eac70b510068848a…

MALICIOUS

PDF

347.5 KB Created: 2020-08-13 18:44:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 983c9a9da4c7252f6343e2e55b362792 SHA-1: 9778791901b115ded4ce91f32d756b4dd7e745f1 SHA-256: eac70b510068848ab2759c6969c570ad12357aefd67501a8218bf8e75e9a7ba5
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is likely intended to lead the user to a malicious site. The document body, though heavily obfuscated, contains the same URL, suggesting a phishing or credential harvesting attempt. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=food%20additives%20toxicology%20pdf
    • http://files.socialinnovationfredericton.com/uploads/1/3/0/8/130813777/pimex.pdf
    • http://lofotar.aishasuniquecosmetics.com/uploads/1/3/0/7/130776436/zovenad.pdf
    • http://files.artcouturedesign.com/uploads/1/3/1/3/131398308/8639616.pdf
    • https://cdn.shopify.com/s/files/1/0428/9023/1974/files/66854670227.pdf
    • https://cdn.shopify.com/s/files/1/0433/6638/3768/files/dafiwidonuxumosotuj.pdf
    • https://cdn.shopify.com/s/files/1/0429/9482/7418/files/storyboard_template_a3.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6681/files/simekixonirene.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/monazata.pdf
    • https://cdn.shopify.com/s/files/1/0438/9906/0392/files/diluxamitipariwida.pdf
    • https://cdn.shopify.com/s/files/1/0437/0821/9547/files/rock_forming_minerals_in_thin_section.pdf
    • https://cdn.shopify.com/s/files/1/0433/9413/8268/files/grendel_borderlands_2.pdf
    • https://cdn.shopify.com/s/files/1/0431/6712/1565/files/57956408080.pdf
    • https://cdn.shopify.com/s/files/1/0438/8945/9368/files/difference_between_discrete_and_continuous_probability_distribution.pdf
    • https://cdn.shopify.com/s/files/1/0438/9103/2216/files/boxifofojibexasevo.pdf
    • https://cdn.shopify.com/s/files/1/0435/7757/3539/files/how_to_make_commands_on_twitch.pdf
    • https://cdn.shopify.com/s/files/1/0436/8711/6965/files/botany_notes_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/1910/7480/files/maxetuwiwefubata.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000523f8.bin
7903bd4e9bbf7ca85cb102a6b1fcd11991236271c0f5412d3044a86ccfe4baf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x523F8 5412 bytes
font_01_sfnt_off00053696.bin
1f8398f0b5991855d1bfbf538f2574a03b41c359e7e28a1a0c18d3b34cb992f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53696 12152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.