Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7e890d687dea447…

MALICIOUS

PDF

44.3 KB Created: 2020-09-16 16:04:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00e4b725c43fd24bb03945e0f94acc23 SHA-1: b7637d5a92ec3dabc46cd756ef48599514c19e53 SHA-256: f7e890d687dea44716668b1f726ca943370dfeb9c4751c2cf85b7c6fa74456a6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text related to '11th hour worksheet answers' and the URL 'https://ttraff.com/wix?keyword=11th+hour+worksheet+answers', suggesting a lure. Additionally, the PDF exhibits characteristics of a link farm, with numerous embedded links, including one to 'cdn.shopify.com'. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=11th+hour+worksheet+answers
    • https://cdn.shopify.com/s/files/1/0434/5249/8070/files/beden_dili_ismek.pdf
    • https://cdn.shopify.com/s/files/1/0438/3745/6534/files/xegipukezifosenixazixirir.pdf
    • https://cdn.shopify.com/s/files/1/0429/3859/7539/files/iferror_blank_google_sheets.pdf
    • https://cdn.shopify.com/s/files/1/0434/4093/0968/files/diminutabowesamu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3458/2938/files/hotpoint_washing_machine_manual_wmxt.pdf
    • https://cdn.shopify.com/s/files/1/0431/6246/8503/files/pamir.pdf
    • https://cdn.shopify.com/s/files/1/0427/9438/5575/files/manual_ableton_live_10_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0434/2956/0481/files/orange_county_register_crossword_puzzles.pdf
    • https://cdn.shopify.com/s/files/1/0432/6768/6556/files/beginner_workout_program.pdf
    • https://cdn.shopify.com/s/files/1/0440/8036/5733/files/94439092652.pdf
    • https://cdn.shopify.com/s/files/1/0440/9065/4870/files/52186315605.pdf
    • https://cdn.shopify.com/s/files/1/0433/5871/6054/files/wamiw.pdf
    • https://cdn.shopify.com/s/files/1/0434/2287/5797/files/rheem_furnaces_trouble_shooting.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ff6.bin
7610179890ff30159963df1e948d9b79be44222fa2c0a18e83a66890813b187a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FF6 4856 bytes
font_01_sfnt_off00008083.bin
fa673b1c6c9879c63ce6fb0538f1c316af27927df1302470e55e734ec5c8e7fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8083 10604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.