Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1f6a23935f9067b…

MALICIOUS

PDF

57.9 KB Created: 2020-09-03 01:00:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 06ade8b3df9f0154384bb1c16569cd82 SHA-1: c2e5012df28757859331b37cc59797c97ac13b7d SHA-256: f1f6a23935f9067ba53d945d8c4c67b666536262664f3439fd9909afeb5c7bbc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=brand+identity+guide+examples'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on Shopify. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the target URL, suggesting a lure to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=brand+identity+guide+examples
    • https://cdn.shopify.com/s/files/1/0437/4416/6037/files/78253051287.pdf
    • https://cdn.shopify.com/s/files/1/0430/7045/5957/files/danukesidavevu.pdf
    • https://cdn.shopify.com/s/files/1/0436/3337/7440/files/dadewejegoniku.pdf
    • https://cdn.shopify.com/s/files/1/0461/9586/7797/files/fadojogowopuxekexogilu.pdf
    • https://cdn.shopify.com/s/files/1/0462/6618/7933/files/doily_wedding_invitation_template.pdf
    • https://static.usrfiles.com/ugd/455f95_a8713afbdc574a05a6d8a1d68607cc9e.pdf
    • https://static.usrfiles.com/ugd/6cf392_4cbaf36735694d6a8ac523c014a026cc.pdf
    • https://static.usrfiles.com/ugd/7182f3_db4b76726146414191ff7841b96760e0.pdf
    • https://static.usrfiles.com/ugd/97aff7_6d1818fb4d404cca8948c35d86f2fb22.pdf
    • https://static.usrfiles.com/ugd/1e11d0_9a8c42b2eb11460880cc7faba12bb436.pdf
    • https://cdn.shopify.com/s/files/1/0433/7080/7461/files/21187877509.pdf
    • https://cdn.shopify.com/s/files/1/0428/8013/9423/files/yo_yo_test_file.pdf
    • https://static.usrfiles.com/ugd/d48fe3_b8689d59831a4e2199926dbd3f60aca6.pdf
    • https://static.usrfiles.com/ugd/9ef1ea_5e2badc39d4f4fbd92f3ec2bc8e4010b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008dfd.bin
1400ffb5698043fbf6bb1c8fe6f65cb295a248736412c69c2cf72bab7d5a54bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DFD 5500 bytes
font_01_sfnt_off0000a0af.bin
058ba5bd889d1bc84327932df2f318dcfc3c5dd6c69ad91617b398b8b652ccdb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0AF 10544 bytes
font_02_sfnt_off0000c509.bin
89c208c5973a3c695bba959c66362a10f0c6c59a87e6967c78d3dea7ec8928c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC509 16184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.