Malicious PDF — malware analysis report

Static analysis result for SHA-256 f298989883435324…

MALICIOUS

PDF

45.9 KB Created: 2020-09-16 23:44:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b2a9b7a0dcf99f44accd1344954aa54e SHA-1: bbdb7655b168d466fe1dc081a401d7b7451799a1 SHA-256: f298989883435324bffebafac445484761de2c2ea1d0edf9a70c25f6ae1f2a02
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass of external links, including a critical link to a known malicious redirector at `https://ttraff.me/wix?keyword=creeper+gif+wallpaper`. The document body, though heavily obfuscated, also contains this URL, suggesting a lure to a malicious site. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous PDF links indicates a link farm strategy, likely to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=creeper+gif+wallpaper
    • https://8430e549-a93f-451c-9e76-33819ae59aa4.filesusr.com/ugd/1e8759_c9798e7a9c154d60be296fffb683a5fa.pdf?index=true
    • https://e01df6d9-4dd6-455e-9bc9-dfb0802be10d.filesusr.com/ugd/28146e_bcdf469e91944e4580b8b9eb75d5cb00.pdf?index=true
    • https://8fd12cc0-8e8f-458f-8b7f-e5beab7e64d2.filesusr.com/ugd/0582e0_f58aafc6754547f3a553c140a9123b79.pdf?index=true
    • https://75f53aa4-6717-4758-be52-124af0182d2c.filesusr.com/ugd/d61b30_16d57852e3c5404d959cc04dec5816b8.pdf?index=true
    • https://90f00b74-628f-4aaf-ba32-594d842c78b3.filesusr.com/ugd/d5415a_8c6008bdef514e9b8d4e50a2785df127.pdf?index=true
    • https://99120644-a416-45b4-9ad4-c6ec35c79779.filesusr.com/ugd/694d5d_e64ecfb28b804d1fbc0b0781b2210764.pdf?index=true
    • https://64b7e65d-33f8-46f2-9199-353b91a93e8c.filesusr.com/ugd/66f3f9_283e3b98258243a4ae4a527b9fc598a0.pdf?index=true
    • https://5c596c0a-e8f1-4572-a303-fd6e3a6483e0.filesusr.com/ugd/1cc777_678d91d0014b440c985db873985561d7.pdf?index=true
    • https://758e3fa1-f8c3-498c-b6fa-5e4f427dd641.filesusr.com/ugd/0cd019_e49901cda47b46f4bd51de630f14b9bb.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/7693/5070/files/63209854373.pdf
    • https://cdn.shopify.com/s/files/1/0430/1229/2767/files/generate417_barcode_android.pdf
    • https://cdn.shopify.com/s/files/1/0434/3840/7845/files/2016_cadillac_ct6_infotainment_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/0948/1626/files/97294970261.pdf
    • https://cdn.shopify.com/s/files/1/0440/6516/1366/files/free_jio_video_call_app.pdf
    • https://67f760d9-47fd-4928-a8f1-bf2e1ae73fe9.filesusr.com/ugd/03ef8e_807a897a6c60405ba382edae0ac3ef23.pdf?index=true
    • https://e2047e43-3084-4bb4-8e37-c9f07c88b3be.filesusr.com/ugd/bc0b97_3984292bce9b49aebcfb38e677d0a508.pdf?index=true
    • https://97f92ab0-6877-4790-a91a-63e7b0606e4d.filesusr.com/ugd/7f614e_4d3cfa3931174b55b80eedc04ca7072c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076b9.bin
e9132e522b3a5e89c534bfae6a907c60c804da5645e94736c586ffebbd285541		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76B9 4888 bytes
font_01_sfnt_off00008784.bin
94c236bf727d508bb145d9da554615e15ef82c041f6ef8283169d2d5cce0b995		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8784 10320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.