Malicious PDF — malware analysis report

Static analysis result for SHA-256 f12be30bc1b8f1fd…

MALICIOUS

PDF

35.1 KB Created: 2020-09-16 21:26:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 006d0a46c320b69c316117a451419256 SHA-1: da0d14f658a2974bd5247f468f9546fca6844a9e SHA-256: f12be30bc1b8f1fd736c64c3ff552d652f9e8f5585205463100b9c8e6bef6454
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as information about a Dell monitor power cord. The document also contains a large number of links to other PDFs, suggesting a link farm or SEO poisoning attempt. The ML classifier strongly indicated maliciousness, and the PDF structure itself is suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=dell+s2340mc+power+cord
    • http://files.camoallegiance.com/uploads/1/3/2/7/132710750/temitido.pdf
    • http://files.son-riseranch.com/uploads/1/3/0/9/130969989/sizit.pdf
    • http://files.adelaide-pilates.com/uploads/1/3/0/7/130739761/zijupepojumoviziwese.pdf
    • http://files.sthrouda.com/uploads/1/3/1/4/131408142/6522907.pdf
    • http://files.ecolivingatlas.com/uploads/1/3/1/6/131606248/8722564.pdf
    • http://files.kulanuicounseling.com/uploads/1/3/0/9/130969772/nabotadukofiv_zizisojem_xizofuxowe.pdf
    • https://0b4d7da4-9710-4552-abe8-61d790163cbc.filesusr.com/ugd/96564c_d75108c9323e4b09949c7c7f2f745f5d.pdf?index=true
    • https://fe4c9c8d-c2f2-4ae8-9e53-7eec50c502f4.filesusr.com/ugd/277b62_c70ec0c622f6463daeeacb160a2a7fc0.pdf?index=true
    • https://3758c5f6-1822-48f5-a4b1-c54dcd4593f8.filesusr.com/ugd/33a16d_091a243cabc84322b52dc575157d3158.pdf?index=true
    • https://a0302a40-3b28-46e4-9cff-f1e50d666613.filesusr.com/ugd/595093_a43a1a79eec54e55836b0172c54ea672.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/5348/2135/files/billboard_top_100_1978.pdf
    • https://cdn.shopify.com/s/files/1/0429/2640/7833/files/16975488907.pdf
    • https://cdn.shopify.com/s/files/1/0431/4264/3868/files/wutozivin.pdf
    • https://cdn.shopify.com/s/files/1/0430/0043/0746/files/direct_and_inverse_proportion_worksheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004920.bin
abac74052c9bf4deb0ef6ca8a2dadb664229b7477e21da0887f62727e0b2d7be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4920 5628 bytes
font_01_sfnt_off00005c53.bin
5612bc5a626adeb6989fbbc03438cda83cc8ad3a3661016e8192deaeb37043c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C53 10340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.