Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c6595589803de17…

MALICIOUS

PDF

43.9 KB Created: 2020-09-21 00:39:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00ccf9af0052f4f5f018424adf7c24dd SHA-1: 52f7f82d1bc9f1501a863bd74a9c5d9242faad4b SHA-256: 1c6595589803de179d5199e11d10234f7d62997ec0b432b4e1361bffc99e4a96
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded URLs, identified as a link farm. One critical heuristic indicates these links point to known malicious redirector infrastructure, specifically the URL 'https://ttraff.club/wix?keyword=raze+2+unblocked+6969'. The presence of numerous PDF links and the ML classifier's high confidence score suggest a deliberate attempt to lure users to malicious sites, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=raze+2+unblocked+6969
    • http://zudixa.smyrnafoundation.com/uploads/1/3/1/4/131453501/6c7bc4e8.pdf
    • http://files.romarogers.com/uploads/1/3/1/8/131872087/dalaf_tojikuluwa_xonijiwit.pdf
    • http://zamufuj.jamorrowfreeman.com/uploads/1/3/2/6/132683209/jidij_vajemabulowu.pdf
    • http://mokifapad.sewinggooddeeds.com/uploads/1/3/1/4/131437379/cee6880d4a8a04.pdf
    • https://cdn.shopify.com/s/files/1/0428/3128/2335/files/california_pizza_kitchen_nutrition.pdf
    • https://cdn.shopify.com/s/files/1/0430/4342/2361/files/accidents_reported_today_chattanooga.pdf
    • https://cdn.shopify.com/s/files/1/0433/0147/0366/files/pathways_2a_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0432/2613/6743/files/68681996002.pdf
    • https://cdn.shopify.com/s/files/1/0432/3170/7294/files/mipijajirefetatokejurixag.pdf
    • https://cdn.shopify.com/s/files/1/0433/9168/0666/files/34711874938.pdf
    • https://be5aa5bf-6d24-48eb-b725-c82b9ca64266.filesusr.com/ugd/17ce20_edaa04079f054d4f8ea9b6be6466f776.pdf?index=true
    • https://c8faa272-6521-4589-8392-0e365bd7914f.filesusr.com/ugd/ab0441_d1eb55907b3c4dd3b20e9bd18f0f22e6.pdf?index=true
    • https://02989d2b-6a09-4f4b-a957-ca07f3d1e675.filesusr.com/ugd/74147a_b3d477b0ab33486293eacb5a35db785c.pdf?index=true
    • https://78ae5dbf-7ded-4af9-8134-0de4b34a7b7e.filesusr.com/ugd/54dfea_0440d8642fdd41f097bd5271b3b3d657.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e41.bin
9af3c748e14fc1fd45f7141914b26f90f8fcebf4d30854217d61c461e88b625a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E41 5364 bytes
font_01_sfnt_off0000809b.bin
fcebc9b9db378f0f56d798a4888145c2e1aae3b2f48fd0e70d737ee63d13704a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x809B 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.