Malicious PDF — malware analysis report

Static analysis result for SHA-256 fed65d7c6575c397…

MALICIOUS

PDF

60.0 KB Created: 2020-08-22 10:27:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a414d5033aeb172c37d3933c43886788 SHA-1: c976c578f62675797846b2a449a851d653253b66 SHA-256: fed65d7c6575c3979e0958f35c3711c9ae85b73ead9ae818b6d55b716c5e0213
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with many links pointing to Shopify domains, but the primary redirector link is to ttraff.com. This indicates a phishing or scam attempt, likely to distribute further malware or lead users to fraudulent content. The ML classifier also flagged this PDF with high confidence. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cbse+5th+standard+maths+book+pdf
    • http://soseniwe.lifetimeepoxyfloors.com/uploads/1/3/0/7/130776321/0fb88f3881.pdf
    • http://files.livelovelaserclinic.com/uploads/1/3/1/8/131856877/ravozidomurajemal.pdf
    • http://files.clubjoan.com/uploads/1/3/0/8/130813846/pesipizuravijiz-ropibis.pdf
    • http://files.scottcardmusic.com/uploads/1/3/0/8/130874240/viribavobigeput_kixegumibudupev_fimurabukura.pdf
    • http://files.tangonegrofilm.com/uploads/1/3/1/4/131437276/judafoki-rivutososepa-fomateva-teteparuzuti.pdf
    • https://cdn.shopify.com/s/files/1/0434/4204/5090/files/pamujorofikez.pdf
    • https://cdn.shopify.com/s/files/1/0435/6158/2755/files/jon_rogawski_calculus_third_edition.pdf
    • https://cdn.shopify.com/s/files/1/0434/0485/3402/files/complete_guitar_chords_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/4390/4927/files/mavemokepiwiwavuzixex.pdf
    • https://cdn.shopify.com/s/files/1/0431/4634/6657/files/acid_rain_project_in_marathi.pdf
    • https://cdn.shopify.com/s/files/1/0448/5152/7842/files/incoming_1sg_speech.pdf
    • https://cdn.shopify.com/s/files/1/0432/0722/9597/files/99225467337.pdf
    • https://cdn.shopify.com/s/files/1/0438/2870/7488/files/bodyboss_ultimate_body_fitness_workout_guide.pdf
    • https://cdn.shopify.com/s/files/1/0429/2355/7020/files/bixelabo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/9715790575.pdf
    • https://cdn.shopify.com/s/files/1/0437/4927/7845/files/jobeziwonivejifamesiwuvam.pdf
    • https://cdn.shopify.com/s/files/1/0441/0625/2440/files/24704433072.pdf
    • https://cdn.shopify.com/s/files/1/0432/6942/3269/files/35512950476.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dbf.bin
32d8c4f67aab728e73f8a8cc8154b9845b7a29a7ab735799d77c241f8ef63554		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DBF 5484 bytes
font_01_sfnt_off00008027.bin
4e583b278a76d70d3ff67b94cffb7285acc03afe7689526d59afdd0e66437bd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8027 6568 bytes
font_02_sfnt_off000092b8.bin
66e07205964f6701376ae4cc8360c90bdb573312ccefa9cdd014b33a63c57dae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92B8 10464 bytes
font_03_sfnt_off0000b695.bin
e6236245b1b519c90993a0a0decb83651aa70bd3eb3f1615240c4a875e4479e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB695 17492 bytes
font_04_sfnt_off0000d024.bin
065608e542b0cadf5a1c8aa2b6ea837b315e9edba0f3bc5a752e493372ed960d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD024 4768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.