Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee0e4c24cbc67c30…

MALICIOUS

PDF

41.4 KB Created: 2020-08-31 05:01:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c2ae1c6d0f6188eb6654d0cde3d9115f SHA-1: 57bd7f84d58d66e50f39142696afe34b8ef57504 SHA-256: ee0e4c24cbc67c30589223818ddc157d8b6bc55485b4cf766372a48b73cf79f4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating it's a redirector link. The primary URL, 'https://ttraff.me/wix?keyword=fases+de+korotkoff', is identified as a malicious redirector. The document also contains a large number of embedded links, many pointing to Shopify, which is characteristic of SEO link farm techniques used to obscure malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=fases+de+korotkoff
    • https://cdn.shopify.com/s/files/1/0430/9532/6887/files/22325114937.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mudamizoxudaxusuzo.pdf
    • https://cdn.shopify.com/s/files/1/0429/0245/4428/files/wobizu.pdf
    • https://cdn.shopify.com/s/files/1/0428/1466/8959/files/functional_training_workout_plan.pdf
    • https://static.usrfiles.com/ugd/69b86f_4413c3d2db1f48d2a1c00f7b3fd27101.pdf
    • https://cdn.shopify.com/s/files/1/0433/1002/2814/files/golitiwizanakosodogomodux.pdf
    • https://cdn.shopify.com/s/files/1/0431/6830/1212/files/hotel_standard_operating_procedures.pdf
    • https://static.usrfiles.com/ugd/b8c837_03eac66e30104d518342abf41c340fb7.pdf
    • https://static.usrfiles.com/ugd/b8c837_73dfdb07c00641189e673e1cfdbd9d78.pdf
    • https://static.usrfiles.com/ugd/2e79a6_63af6133ec8a43afadc7bc90ffabac25.pdf
    • https://static.usrfiles.com/ugd/b8c837_3430b57eb72440158e15e13c15b71568.pdf
    • https://static.usrfiles.com/ugd/0a052f_fc8521f4dabe4f1585c740491fdb99e1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000644d.bin
e9c435d93f3ac511032450bd14df4a545b5f0f457fce9c43a0fbd09cd7eeb6ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x644D 4888 bytes
font_01_sfnt_off000074ff.bin
054a1e7c343659f0f4e1fb5428f8663ea2156354167fd118337efd9266345688		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74FF 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.