Malicious PDF — malware analysis report

Static analysis result for SHA-256 38bb1facb810feda…

MALICIOUS

PDF

48.2 KB Created: 2020-09-04 14:08:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00335b014a8a2e3c35ff18648b89c25e SHA-1: 9685d7c348b10672a3eb95db64606eac64614a60 SHA-256: 38bb1facb810feda808a02c59f3d9aae04af440702c2bf1ad5306fb5d5322dc1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link disguised as a free software crack, which redirects to a malicious URL. This indicates a social engineering lure to drive traffic to potentially harmful content. The PDF also contains a large number of embedded links, many pointing to Shopify, suggesting a link farm or SEO manipulation tactic to increase visibility of the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=3ds+max+2009+crack+file+free
    • https://cdn.shopify.com/s/files/1/0434/4800/8866/files/vupudasewiwijovirezukuw.pdf
    • https://cdn.shopify.com/s/files/1/0428/9468/8412/files/32546287185.pdf
    • https://cdn.shopify.com/s/files/1/0432/3606/5435/files/7889371851.pdf
    • https://cdn.shopify.com/s/files/1/0463/5177/7954/files/phone_call_recording_app_android_free.pdf
    • https://cdn.shopify.com/s/files/1/0469/0775/2608/files/61325463775.pdf
    • https://cdn.shopify.com/s/files/1/0433/5468/5599/files/birdland_bass.pdf
    • https://cdn.shopify.com/s/files/1/0432/3203/4980/files/saxovawozasexefisikowobes.pdf
    • https://cdn.shopify.com/s/files/1/0429/7634/6266/files/juxilo.pdf
    • https://static.usrfiles.com/ugd/b8c837_edf8cdef334e4b329ade1c23d0c4b84f.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a5744a1b30e48a28ca4e771fb670019.pdf
    • https://static.usrfiles.com/ugd/b8c837_d60a498265e24d389fd958850a23d40f.pdf
    • https://static.usrfiles.com/ugd/469aea_772f36566e2f4fe1aa31fc321bbbb18d.pdf
    • https://static.usrfiles.com/ugd/3794ad_6ccfd4096a574b3cb3f5748d6221dc1c.pdf
    • https://static.usrfiles.com/ugd/9a242c_266db9c5208d466692ca69357840234d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000629b.bin
6a401a2df0ddd48f85cc64d6ba06a1a7cc757b51adea5c7ceddd9f87dcd80b83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x629B 5796 bytes
font_01_sfnt_off00007639.bin
416974b1af15ef5efd5273fe4c6ca2f8ccf6840db5a7c91a1f90661cd42b3978		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7639 7596 bytes
font_02_sfnt_off00008ef5.bin
c05b050ddd3c1f973bc43849e3ab8b9cfb0d8e66abde46bcd2580cf0572be74d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EF5 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.