Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d44861f5a40f253…

MALICIOUS

PDF

47.6 KB Created: 2020-08-31 03:10:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb8a36891a28ec6e0efb9b994837d25f SHA-1: 9686d59ff08d17b56501583b2ef08396a7ffd286 SHA-256: 1d44861f5a40f253205030a497937673fd8c8f49b2ee71b120105e4f13f4651d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a large number of external PDF links, indicating a link farm. The primary malicious URL identified is https://ttraff.ru/wix?keyword=horizon+palm+beach. While the document body contains garbled text, the presence of numerous links suggests an attempt to lure users to external, potentially malicious, content. No scripts were extracted, and the family is undetermined.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=horizon+palm+beach
    • https://static.usrfiles.com/ugd/8ba634_c8a62c6ba97c475da30462fc52228ac1.pdf
    • https://static.usrfiles.com/ugd/7198c1_b13e7ad7fb3c43eea40acacee46eb3eb.pdf
    • https://static.usrfiles.com/ugd/b8c837_9f41d50bd7f64d228cd4e79a77c7ca11.pdf
    • https://cdn.shopify.com/s/files/1/0448/0991/2480/files/golurivobekerupapiv.pdf
    • https://cdn.shopify.com/s/files/1/0440/1122/5246/files/61012745574.pdf
    • https://static.usrfiles.com/ugd/b8c837_eaf3340ce393431a8cf9bcce220e30dd.pdf
    • https://static.usrfiles.com/ugd/be19e1_7c1a9196f84b42648087239effe72eb9.pdf
    • https://static.usrfiles.com/ugd/516574_953f7631f8ee49a8b8bca7ba87bad0a0.pdf
    • https://static.usrfiles.com/ugd/07ef24_bbf133d55162484f9b274f91aa263a84.pdf
    • https://static.usrfiles.com/ugd/9d869b_125ae60bf18c4c3c88771e64709b6728.pdf
    • https://cdn.shopify.com/s/files/1/0433/7447/7464/files/93116681674.pdf
    • https://cdn.shopify.com/s/files/1/0434/8094/0710/files/fusionner_2_fichier_en_un_seul.pdf
    • https://cdn.shopify.com/s/files/1/0432/8731/4585/files/windows_xp_sp3.pdf
    • https://cdn.shopify.com/s/files/1/0439/3048/4904/files/72522869405.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006528.bin
867f391f6e507e4f0d8e8211b22402c0f675fdbadfe9c94b6de8eba3b72f402c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6528 5144 bytes
font_01_sfnt_off0000767d.bin
fbe9abd0d7457d247c14ff55d2a433d99db9d9164ca0b3e70e5b710501f97d88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x767D 11396 bytes
font_02_sfnt_off00009c4e.bin
a95eff378c135b1ab40d10b3cd1da1bafbc07f86005f57898d079c90d712ddbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C4E 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.