Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7f45d9e533e2179…

MALICIOUS

PDF

41.0 KB Created: 2020-09-04 12:25:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3c9f25df7c3c3cbefede5f5ecfa7a00 SHA-1: 76b1b955abfaf7eb36201b93ec96f6d80331dfb9 SHA-256: f7f45d9e533e21798e82609f6a934ad7d95f275901c81f8acd99c32da8eb100b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a critical redirector link to ttraff.club, indicating a phishing or redirection attempt. The document body, though heavily obfuscated, contains the URL https://ttraff.club/wix?keyword=avison+young+retail+market+report, suggesting the lure is a fake market report. The ML classifier strongly supports maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=avison+young+retail+market+report
    • https://static.usrfiles.com/ugd/dcfb95_2907528d9ab54e56b657790dc3b19458.pdf
    • https://static.usrfiles.com/ugd/badafb_97778a7a91cb4aa28ad45ec9e8007f90.pdf
    • https://static.usrfiles.com/ugd/48bf55_bfc76b81be4544e98ed8a821ab14017d.pdf
    • https://static.usrfiles.com/ugd/e2c250_70169d6ddf7f4756b7eb28b78440a8c4.pdf
    • https://static.usrfiles.com/ugd/724bd4_333d9a1e619f4821850e71c82d4375db.pdf
    • https://static.usrfiles.com/ugd/a48928_b72ae7a28c324f599bec60ac2e5b66e1.pdf
    • https://cdn.shopify.com/s/files/1/0432/7263/4533/files/behavioral_finance_journal.pdf
    • https://cdn.shopify.com/s/files/1/0435/6702/2239/files/32875709005.pdf
    • https://static.usrfiles.com/ugd/dcf9ad_a8ebf7dc44ec4539904be5ef2a779bec.pdf
    • https://static.usrfiles.com/ugd/10cedf_21caf48b23c04158939fa220fd9b878d.pdf
    • https://static.usrfiles.com/ugd/f0b6b3_2d435237cfbb4493ba60ede411ee7315.pdf
    • https://static.usrfiles.com/ugd/dc8a8e_00fc96dcf3bc48f88d49e856f9c7b640.pdf
    • https://static.usrfiles.com/ugd/3f8d85_01085e691b53427b9c4b3434b8d7c5e6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000632d.bin
76d71dbc463dbccd1d1d33f8e6eb2686675f6908964b56f3b478ebd93e43b789		 pdf-font-stream PDF embedded font (sfnt) at offset 0x632D 5356 bytes
font_01_sfnt_off0000755f.bin
826db98d8e77bd85b7508b9f27a97577ae69fc51aed4ce23ceb5e924082e8454		 pdf-font-stream PDF embedded font (sfnt) at offset 0x755F 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.