Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f0a3bf7bed9826a…

MALICIOUS

PDF

75.0 KB Created: 2020-09-17 13:06:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 05bff45a68532c7db392903ee9d7db00 SHA-1: 3c5452c80b9b21bf1948bc1b69611b21890999d2 SHA-256: 2f0a3bf7bed9826a5f9dbb2c8aa804ed2aa6512eb2a80c5e21f85c3cdfe11710
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.me', which is also present in the document body. This link is presented as a lure for downloading hacking tools. The PDF also contains a large number of embedded links, many pointing to Shopify, suggesting a link farm for SEO manipulation or to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=hack+wifi+password+apk+free+download
    • https://cdn.shopify.com/s/files/1/0430/8316/9943/files/89494599731.pdf
    • https://cdn.shopify.com/s/files/1/0431/7695/1965/files/flcl_eyebrows_gif.pdf
    • https://cdn.shopify.com/s/files/1/0431/6571/2535/files/3d_excel_chart_templates_free.pdf
    • https://cdn.shopify.com/s/files/1/0459/7055/5047/files/52775761940.pdf
    • https://cdn.shopify.com/s/files/1/0428/9147/7159/files/cocina_criolla.pdf
    • https://cdn.shopify.com/s/files/1/0438/4981/0080/files/zafobawopizunosiduleze.pdf
    • https://cdn.shopify.com/s/files/1/0463/2933/1869/files/fimuniruviz.pdf
    • https://00e0a810-3387-4239-aaf1-c503726ee55a.filesusr.com/ugd/3a38e0_2e262f8952d34ce9b24620204b23ad9b.pdf?index=true
    • https://1fab90b4-7f98-47e7-a3a4-595b331671d8.filesusr.com/ugd/02af14_23e5715659ac450f9e9c2bb9ef0cb5bc.pdf?index=true
    • https://861fe797-53de-4a31-88fc-4e3eb67c8f93.filesusr.com/ugd/b463f2_9b9339c1485c4264b3843a7965a2f3c5.pdf?index=true
    • https://9d9e6354-dca2-4a14-9578-93ff7594b131.filesusr.com/ugd/3bcfef_1df010f04aa24eabbde969231ca48f9e.pdf?index=true
    • https://eb5cf5bb-e83e-4d8b-849e-85c8b9a1c7e9.filesusr.com/ugd/3b47cb_f05c1493f3a244b0b9c5284ed909fa2a.pdf?index=true
    • https://8db09696-8cd6-4267-89cb-e84416e62e45.filesusr.com/ugd/b916f4_39ab9feb1a52402fafbf48411ba4a820.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://861fe797-53de-4a31-88fc-4e3eb67c8f93.filesusr.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e18b.bin
aed88a202e6f78da3d53f623e92b9308cf0ed953aa92ec525008a1d7c32cf8ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE18B 5268 bytes
font_01_sfnt_off0000f39a.bin
452422666e82bdf613264e87a869c96c438950198a53892f31d2724eb4b65872		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF39A 13596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.