Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef222392aea82ba6…

MALICIOUS

PDF

39.9 KB Created: 2020-07-28 06:51:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8350b4e7aa522a800e6f3d50d98ae2a SHA-1: 6bc3e7e3fec5a279044d0c6455ceb6a1ef7618b9 SHA-256: ef222392aea82ba690e316077dd6ffdc229fa8f24b8f7098b5010e51dfc8f91f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.cc. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, suggests a lure related to 'geotechnical engineering ppt templates free'. The combination of these factors indicates a phishing or scam attempt designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=geotechnical+engineering+ppt+templates+free
    • http://files.hannahjrule.com/uploads/1/3/2/7/132740277/kusivezawate-fitiw.pdf
    • http://files.eifel-wohnmobil.de/uploads/1/3/1/3/131383727/nodolexepazoso.pdf
    • http://files.rogerscitymarina.com/uploads/1/3/1/3/131379042/tukafamalesuji.pdf
    • https://cdn.shopify.com/s/files/1/0431/1928/0288/files/lilopovipovelavororifa.pdf
    • https://cdn.shopify.com/s/files/1/0430/3175/6957/files/jidakemixojatajotupatixa.pdf
    • https://cdn.shopify.com/s/files/1/0428/3577/1558/files/46814376840.pdf
    • https://cdn.shopify.com/s/files/1/0428/3963/8179/files/48257507469.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wunize.pdf
    • https://cdn.shopify.com/s/files/1/0435/8668/3037/files/50210349677.pdf
    • https://cdn.shopify.com/s/files/1/0431/0079/9140/files/bajilururip.pdf
    • https://cdn.shopify.com/s/files/1/0436/6322/9078/files/3642321897.pdf
    • https://cdn.shopify.com/s/files/1/0428/9118/2243/files/derelu.pdf
    • https://cdn.shopify.com/s/files/1/0430/4958/2743/files/soxopokubosuvoru.pdf
    • https://cdn.shopify.com/s/files/1/0430/2897/1681/files/rusaxerut.pdf
    • https://cdn.shopify.com/s/files/1/0436/0224/7838/files/noxuvok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/f

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fc0.bin
22accaa6169dec7fffd8cff1e4baf9e15e33dc662513e3a348307d4aa500c29f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FC0 5248 bytes
font_01_sfnt_off00007169.bin
119eaef37ba08461aaf662a8ebe1b2005262c1a114243c313d65a146407673f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7169 9680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.