Malicious PDF — malware analysis report

Static analysis result for SHA-256 efa4c202f3756857…

MALICIOUS

PDF

39.9 KB Created: 2020-08-31 10:50:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 072edd78bf2a13fc07703652c092027c SHA-1: e07e6e6ce572ec08a40f563b4ac1f9a356078d0b SHA-256: efa4c202f37568579254ffe14ca2a3b1c81974c335797e51744307d219f32ef3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with a critical heuristic firing indicating it's a malicious redirector. The primary malicious URL identified is 'https://ttraff.com/wix?keyword=ted+klein+petey'. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to direct users to potentially harmful content. The presence of numerous Shopify links, while individually benign, contributes to the overall link farm characteristic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=ted+klein+petey
    • https://cdn.shopify.com/s/files/1/0433/8774/8508/files/96479445260.pdf
    • https://cdn.shopify.com/s/files/1/0434/0721/2709/files/67788403174.pdf
    • https://cdn.shopify.com/s/files/1/0434/2572/6625/files/368013783.pdf
    • https://cdn.shopify.com/s/files/1/0430/5770/9210/files/best_ngo_annual_reports.pdf
    • https://cdn.shopify.com/s/files/1/0434/1517/5317/files/adjective_and_adverb_clauses_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0436/3865/3086/files/4217992169.pdf
    • https://cdn.shopify.com/s/files/1/0435/4621/4564/files/43406940517.pdf
    • https://cdn.shopify.com/s/files/1/0434/8936/2082/files/93318331648.pdf
    • https://cdn.shopify.com/s/files/1/0437/4344/5141/files/dosirepa.pdf
    • https://cdn.shopify.com/s/files/1/0433/6772/7269/files/zotejiniwanepoloretizife.pdf
    • https://cdn.shopify.com/s/files/1/0462/2693/1863/files/92594051886.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vinupagudesezubinu.pdf
    • https://cdn.shopify.com/s/files/1/0437/7152/7325/files/11261092404.pdf
    • https://cdn.shopify.com/s/files/1/0437/5045/7505/files/ccna_report_file.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060f6.bin
c4cdcae75310ef7498bc8561b2844a2fa4a173eb42b58c7a451a393946c2b6fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60F6 4584 bytes
font_01_sfnt_off000070a3.bin
a599cb684e496e8bd52e2430441ae8e9764a8e82c4e045afa073c2474be74fed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70A3 10136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.