Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9c05071805d62c8…

MALICIOUS

PDF

46.5 KB Created: 2020-08-01 05:14:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: af1ee9394906e9062f14db352b8ba68d SHA-1: 361f6b9ca0da441474e2684ae347b8f6a516cb09 SHA-256: f9c05071805d62c88b1c3f26e598b9547c5e711fe9b1a3720c2e20d8bb1187aa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.com, which is presented as a manual for a Cheerson CX-10C drone. The document also hosts a large number of external PDF links, many hosted on Shopify, suggesting a link farm or SEO poisoning tactic. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cheerson+cx-+10c+manual
    • http://files.wearekids.org/uploads/1/3/1/0/131069744/9ede4.pdf
    • http://files.denisecummins.com/uploads/1/3/1/8/131856065/022f902c20b9a20.pdf
    • http://files.spacecityflyco.com/uploads/1/3/1/3/131383747/026c362cdf31.pdf
    • http://files.raort.net/uploads/1/3/1/4/131437157/fdaad2c2.pdf
    • https://cdn.shopify.com/s/files/1/0437/0500/8293/files/77489991669.pdf
    • https://cdn.shopify.com/s/files/1/0432/4474/8950/files/goduwa.pdf
    • https://cdn.shopify.com/s/files/1/0440/7659/7400/files/34085845109.pdf
    • https://cdn.shopify.com/s/files/1/0435/9657/8979/files/95205337850.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3847/files/94343738679.pdf
    • https://cdn.shopify.com/s/files/1/0432/0365/7887/files/fumiwakapapogubiwukam.pdf
    • https://cdn.shopify.com/s/files/1/0434/0921/1549/files/fejaravamebib.pdf
    • https://cdn.shopify.com/s/files/1/0432/1257/0783/files/kinajamunutikugupa.pdf
    • https://cdn.shopify.com/s/files/1/0432/7089/7824/files/wadimibunojisosuxitufulu.pdf
    • https://cdn.shopify.com/s/files/1/0440/2269/4046/files/nadubukil.pdf
    • https://cdn.shopify.com/s/files/1/0428/6464/0159/files/84986586844.pdf
    • https://cdn.shopify.com/s/files/1/0431/1056/3994/files/pelomok.pdf
    • https://cdn.shopify.com/s/files/1/0431/0928/6042/files/84597100269.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077a8.bin
a8b7542fe3115162307cc3ee5e5ed812c5430882b2ea12f300d766448906a0cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77A8 5240 bytes
font_01_sfnt_off00008951.bin
5164b2ef2f9399342fd1734d5f0ab26eaf02ee2cf95755afea75835ebd029a04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8951 10468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.