Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc9af72e5e9ee0b8…

MALICIOUS

PDF

45.5 KB Created: 2020-08-21 10:45:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bbe9b6f822464feec3350d309fb9f58a SHA-1: 2b2cebbfd1600ce2ceeb0ce05870899e94fad6b4 SHA-256: fc9af72e5e9ee0b8266445dd99418f368048f471113c0e25e3f5c8443403422e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to Shopify domains hosting other PDFs, forming a link farm. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is likely the ultimate destination. The ML classifier strongly supports the malicious nature of this PDF. No scripts were extracted, and the document body was largely unreadable binary data.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=all+bollywood+songs+audio
    • http://fovasora.thewaveindustries.com/uploads/1/3/1/8/131856725/4351792.pdf
    • http://konotiv.ourfaithatwork.com/uploads/1/3/1/8/131856643/muvemunelemutij-zemesi-kufifebela.pdf
    • http://files.yogawithminta.com/uploads/1/3/2/7/132710748/2190998.pdf
    • http://jomowi.drusslaw.com/uploads/1/3/0/7/130775443/jizalanesuporu.pdf
    • https://cdn.shopify.com/s/files/1/0434/0586/9213/files/21472693355.pdf
    • https://cdn.shopify.com/s/files/1/0435/1164/4324/files/trochanteric_bursitis_treatment.pdf
    • https://cdn.shopify.com/s/files/1/0427/7505/2454/files/wadupebolo.pdf
    • https://cdn.shopify.com/s/files/1/0435/9041/8591/files/new_punjabi_songs_2017_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/buxidumex.pdf
    • https://cdn.shopify.com/s/files/1/0435/7311/7087/files/us_fda_drug_labeling_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0440/6856/9238/files/32838660651.pdf
    • https://cdn.shopify.com/s/files/1/0432/0378/8964/files/nuxuji.pdf
    • https://cdn.shopify.com/s/files/1/0431/4290/6007/files/57987719942.pdf
    • https://cdn.shopify.com/s/files/1/0435/7806/5055/files/zaxebajusufuli.pdf
    • https://cdn.shopify.com/s/files/1/0438/5413/5456/files/javuled.pdf
    • https://cdn.shopify.com/s/files/1/0435/2511/1972/files/59447034747.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b70.bin
9de44dc4efb3cb731e7478e4e34f7d83aea5c8de91fdc84eb8aa7da9f55aebc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B70 5220 bytes
font_01_sfnt_off00007d56.bin
9bbefeb7ac9a013bf05e509fb2ff96252fcca952ce1a14aa9e9abfad97292a73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D56 14116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.