Malicious PDF — malware analysis report

Static analysis result for SHA-256 2683791634a3d470…

MALICIOUS

PDF

43.6 KB Created: 2020-08-19 10:10:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7f1792e135fa54a4663a5e26f3ca3f4 SHA-1: afa42101a2274c5b96dc9c52ba393ce0a5d2d276 SHA-256: 2683791634a3d47045f98ed4bc1bbf7cd09571ff158785a8fe1666ce9ad0fa59
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=cambio+climatico+en+bolivia+2016+pdf', which is flagged as a malicious redirector. The presence of numerous external PDF links suggests a link farm or SEO manipulation tactic, likely to distribute further malicious content or phish for information.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=cambio+climatico+en+bolivia+2016+pdf
    • http://sodaro.printedrockets.com/uploads/1/3/1/6/131637136/3410352.pdf
    • http://fuzukusun.trinityumc-bsg.net/uploads/1/3/1/6/131606490/gegamufu.pdf
    • http://risij.paulgiessmusic.com/uploads/1/3/1/4/131438268/lezowivebovuk.pdf
    • https://cdn.shopify.com/s/files/1/0431/7098/8196/files/78209732173.pdf
    • https://cdn.shopify.com/s/files/1/0433/9898/7941/files/walk_thru_form.pdf
    • https://cdn.shopify.com/s/files/1/0428/7679/7081/files/34343656251.pdf
    • https://cdn.shopify.com/s/files/1/0439/2416/0667/files/24373353268.pdf
    • https://cdn.shopify.com/s/files/1/0431/3173/2122/files/buranadizizemu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0577/1927/files/59064397950.pdf
    • https://cdn.shopify.com/s/files/1/0431/7049/6672/files/konditionalstze_deutsch_bungen.pdf
    • https://cdn.shopify.com/s/files/1/0431/3484/5079/files/33728650252.pdf
    • https://cdn.shopify.com/s/files/1/0439/0620/3803/files/storyboarding_basics.pdf
    • https://cdn.shopify.com/s/files/1/0438/9044/2395/files/72927339578.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000686b.bin
20af5a01f773e61f86854a8b0fe7a260418cab7dc23e5384d7febd0f197eab29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x686B 5612 bytes
font_01_sfnt_off00007b7e.bin
37dd8c0104ca78b341457b6a6d2ca3c5050f7c0547d2cf32767c930e72c70e8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B7E 11460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.