Malicious PDF — malware analysis report

Static analysis result for SHA-256 38f6742f17c7b5ad…

MALICIOUS

PDF

42.9 KB Created: 2020-08-30 02:18:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 994f72bc75815ffc7a4f53009dc40bcb SHA-1: e92f8ec907e611206c876a2e7eb1c050995a4a31 SHA-256: 38f6742f17c7b5ad810d79fee8dbbb48b56a83673a94857c3e4988a465b9dbb9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The file also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external PDF files, many hosted on Shopify. The primary malicious URL is `https://ttraff.cc/wix?keyword=anime+hair+in+real+life`, which likely serves as a lure to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=anime+hair+in+real+life
    • https://cdn.shopify.com/s/files/1/0433/8299/7148/files/40070527195.pdf
    • https://cdn.shopify.com/s/files/1/0427/4028/5607/files/kebokijuditi.pdf
    • https://cdn.shopify.com/s/files/1/0438/9309/6600/files/46596551756.pdf
    • https://cdn.shopify.com/s/files/1/0432/5815/1072/files/68263976179.pdf
    • https://cdn.shopify.com/s/files/1/0430/6688/4250/files/55112126447.pdf
    • https://static.usrfiles.com/ugd/b8c837_2118bb7747e146ccbc5113a3c7f1e372.pdf
    • https://static.usrfiles.com/ugd/dfb5f8_f9a4d82f97df47b98b6558ffce61cf12.pdf
    • https://static.usrfiles.com/ugd/9e14ca_f1d167030a6146d8a39d5c74240bc75e.pdf
    • https://static.usrfiles.com/ugd/6c98bc_90e06960a423462ca7b2804d27ebf398.pdf
    • https://cdn.shopify.com/s/files/1/0433/3892/4181/files/15233783888.pdf
    • https://cdn.shopify.com/s/files/1/0431/9097/6673/files/1538294196.pdf
    • https://cdn.shopify.com/s/files/1/0437/2630/7480/files/84854893736.pdf
    • https://cdn.shopify.com/s/files/1/0433/2604/6362/files/35657392831.pdf
    • https://cdn.shopify.com/s/files/1/0458/2368/8867/files/79186345081.pdf
    • https://cdn.shopify.com/s/files/1/0432/1017/8717/files/12881517520.pdf
    • https://cdn.shopify.com/s/files/1/0431/3382/9271/files/tamilrockers_2019_telugu_movies_in_madrasrockers.pdf
    • https://cdn.shopify.com/s/files/1/0437/8863/2213/files/lubajebagojowuromejisiba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000696a.bin
4b2aba312a36c0bfae65ed48eafe8f39e9510a33b91b23d0e919252a7ededb43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x696A 4820 bytes
font_01_sfnt_off00007997.bin
568b230e26349e3f51e2d110be55c29bded907914ca77b0fe73dcda5df6de214		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7997 10924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.