Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6b3a7d49cbc4744…

MALICIOUS

PDF

40.6 KB Created: 2020-08-17 09:59:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6f22b3efd0d8f0a5c757fa8235bcaa9 SHA-1: 2ee6aca9875b4dee67e5875cefa014657b711ada SHA-256: f6b3a7d49cbc4744255632d50ced222356a24545fffe3c011824a29331c162d1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm designed to appear as an employment form template, which redirects to malicious infrastructure at ttraff.com. The ML classifier strongly indicated maliciousness. The document body is heavily obfuscated, but the presence of the malicious redirector and the link farm heuristic indicate a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=employment+form+template+in+html
    • http://files.nostalgeekretrogames.ca/uploads/1/3/1/6/131606965/1643758.pdf
    • http://wafotu.simplycheesecakesandmore.com/uploads/1/3/2/3/132303079/2244259.pdf
    • http://files.changinglungcancer.com/uploads/1/3/0/9/130969825/e1c129c6c141512.pdf
    • http://polut.bodyvelocitybootcamp.com/uploads/1/3/0/7/130775403/811b564b9.pdf
    • http://files.theneoneffect.com.au/uploads/1/3/0/7/130738764/8579411.pdf
    • https://cdn.shopify.com/s/files/1/0429/6366/5055/files/44433326065.pdf
    • https://cdn.shopify.com/s/files/1/0438/1186/4738/files/65794962509.pdf
    • https://cdn.shopify.com/s/files/1/0432/3803/1518/files/p._s._meaning.pdf
    • https://cdn.shopify.com/s/files/1/0432/6863/6834/files/gta_v_cracked.pdf
    • https://cdn.shopify.com/s/files/1/0437/9967/5041/files/tedoxe.pdf
    • https://cdn.shopify.com/s/files/1/0433/7539/4979/files/90671057785.pdf
    • https://cdn.shopify.com/s/files/1/0440/3747/2421/files/bixufazewetet.pdf
    • https://cdn.shopify.com/s/files/1/0431/5217/9364/files/python_ldap_authentication.pdf
    • https://cdn.shopify.com/s/files/1/0428/8974/0441/files/tidoxedibeleze.pdf
    • https://cdn.shopify.com/s/files/1/0432/7053/7374/files/54722702337.pdf
    • https://cdn.shopify.com/s/files/1/0430/9241/0525/files/aircraft_airframe_book.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062ad.bin
f4f00a18d9d9c21412e3266a7e76ea49f0b43bd1274ec0585777428301e51f68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62AD 5024 bytes
font_01_sfnt_off0000739b.bin
4cc320ae020dd5ec5319c8678a0268a4e5d2cb53407cbb56bb98a5704c51e011		 pdf-font-stream PDF embedded font (sfnt) at offset 0x739B 9992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.