Malicious PDF — malware analysis report

Static analysis result for SHA-256 376f143d80fbc18e…

MALICIOUS

PDF

88.2 KB Created: 2020-09-13 13:33:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be5ba22003bc8ee1843d380a7c2377c1 SHA-1: a123c0aeaaeccabbbfc0406555d5b5996b0c76a1 SHA-256: 376f143d80fbc18e438b4f233a6f14214d757c065e61768652d6718c98bf4e5e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including a critical alert for a malicious redirector link and a PDF link farm. The document body, though heavily obfuscated, contains the URL 'https://ttraff.club/wix?keyword=mlp+all+episodes', which is identified as a malicious redirector. The presence of numerous external links, many pointing to potentially suspicious domains, strongly suggests a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=mlp+all+episodes
    • http://dewefodir.newartbycjepps.com/uploads/1/3/0/7/130739873/4c5853c723b5.pdf
    • http://files.neilestrickgallery.com/uploads/1/3/2/6/132681415/3356331.pdf
    • http://zibujibo.782elm.com/uploads/1/3/1/3/131380212/9797230.pdf
    • http://files.thebrickva.com/uploads/1/3/2/6/132695416/mixewew-bisavupatava-weworopo.pdf
    • https://static.usrfiles.com/ugd/529dbf_5f44d134cba541bd8cc82bc23f730482.pdf
    • https://static.usrfiles.com/ugd/fbccce_cb7d880b324c48188b6afd47bcb58d64.pdf
    • https://static.usrfiles.com/ugd/67e251_baa3cefa2559416e8f9137929635f852.pdf
    • https://static.usrfiles.com/ugd/b8c837_874d9c6da6c144c6b21e727e9e793d03.pdf
    • https://static.usrfiles.com/ugd/7c41c1_5d112f9dda69470296b07a69d78812e2.pdf
    • https://static.usrfiles.com/ugd/83f04e_092bf040ebdf4bb19d3cd4a158022909.pdf
    • https://static.usrfiles.com/ugd/b8c837_0a4efbfdb90b458abc7854d09df9785c.pdf
    • https://static.usrfiles.com/ugd/bfd504_df56feec682241baad0891618893f075.pdf
    • https://static.usrfiles.com/ugd/760101_3d978be8e35643ba937b758d1bbac2cd.pdf
    • https://static.usrfiles.com/ugd/4ae4db_42148439567946f98a4bf3d2d2172cf2.pdf
    • https://static.usrfiles.com/ugd/162fe6_3027ab9868f8448b98bdc53882309df9.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_428313a3010c4070a3f8367a16ce048c.pdf
    • https://static.usrfiles.com/ugd/a01749_2e762bf76b174742b54e27a07e541ba2.pdf
    • https://static.usrfiles.com/ugd/6c313a_0ae4eb769dc243c0b21cf2099413238a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e50a.bin
a631993239088c0a2369863baef44d18ffd6c36593b6928d5e552bf1e1d789fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE50A 4860 bytes
font_01_sfnt_off0000f5a6.bin
9024695e6e3292b3d14cd19f643217a4bd999ef215fa8d95f5a9085a257ba309		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5A6 5328 bytes
font_02_sfnt_off0001096e.bin
0f0f7e00fc70ed3a31b3b1b1fef2f68b6956e68dd2518945f1448543955de2db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1096E 16288 bytes
font_03_sfnt_off00013c59.bin
52db30b66cfb76898988bc7c6ed152514c301740808ab95bec9c68e49df23550		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C59 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.