Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b28b831acf842fb…

MALICIOUS

PDF

77.7 KB Created: 2020-09-17 00:49:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 97bcd4d1ca86ce0e3264cf2e104e0a18 SHA-1: 29f3bf6440d91c71cc0263580507ac8cd4a24bd9 SHA-256: 3b28b831acf842fb60b70c64e61c480d2f8a146590edbd471460befd2ec55de3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, 'https://ttraff.club/wix?keyword=realidades+2+capitulo+3b-4+answers', is presented to the user, likely as a lure to a malicious site. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same URL, reinforcing the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=realidades+2+capitulo+3b-4+answers
    • https://cdn.shopify.com/s/files/1/0434/7772/9442/files/67187043507.pdf
    • https://cdn.shopify.com/s/files/1/0439/2222/7368/files/arriva_bus_app_apk.pdf
    • https://cdn.shopify.com/s/files/1/0435/2045/8906/files/asda_baby_shoes_size_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/8530/7805/files/new_movies_name_2018_bollywood.pdf
    • https://cdn.shopify.com/s/files/1/0430/8919/9268/files/nujemu.pdf
    • https://98e67ef0-c246-4c38-857b-16dec001477e.filesusr.com/ugd/a2ebd8_32a027a8a9754396a9ccf597f607dad4.pdf?index=true
    • https://d40c391f-e1af-44ab-9858-2981094548a3.filesusr.com/ugd/92ee2b_d2d57c9725964812b31aef2b2a856092.pdf?index=true
    • https://54f004ac-d17b-4606-9118-fe1c8c8a382a.filesusr.com/ugd/ab5adf_c20dc45c8692425f8cbb627fec9bfae3.pdf?index=true
    • https://640f99fa-035d-404e-bf00-3df67c4a2389.filesusr.com/ugd/76aeb6_08522dabd1044a53b92ae01b9441baee.pdf?index=true
    • https://bc5711e6-2f17-4809-a3e9-dd4249fb2b60.filesusr.com/ugd/9ef0c3_b9489a1aae4f4b47b8d42e2304994407.pdf?index=true
    • https://170dc11e-794c-4245-9b7d-eeb86e4783cb.filesusr.com/ugd/fe83c3_692c88cc286344aa995265e87194f4a8.pdf?index=true
    • https://32e27446-d0c3-478f-bb97-42bdedbf5b22.filesusr.com/ugd/ab922d_3f1f9e29617f4d0bb052468b97ae7c9c.pdf?index=true
    • https://94cebeb0-99c2-405c-aa97-ede7a5db4a22.filesusr.com/ugd/3254bf_9170fd091b8a4968b2b116cb65a66397.pdf?index=true
    • https://98daf837-f9f7-4ae3-a0c7-97499a80a908.filesusr.com/ugd/2ac701_16869b73aa3c475bac262bca5fe4a503.pdf?index=true
    • https://9fcf9f61-5b94-4929-9e2d-8de3e263c0c5.filesusr.com/ugd/7dfe85_77dbe2d0514d42749f59932b8525e0d4.pdf?index=true
    • https://823f68b0-ee3f-41cb-b334-a6715b9c192f.filesusr.com/ugd/5e8de6_3591c761a4ed427a8e6f07245d4b340f.pdf?index=true
    • https://3281e38e-648c-4fa4-9f5b-d0eebdf00616.filesusr.com/ugd/9df9d6_b1a172862828415f89b22a5dd1bdd559.pdf?index=true
    • https://930a850f-ec67-44b2-90b1-fa10e8961596.filesusr.com/ugd/4b874d_339590bb01154594b0c28285fa8e8165.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d36b.bin
826392a62b4e7b7ba21d55be003853ca203dcbafc0b14b1b714255ec1b6cb4b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD36B 5720 bytes
font_01_sfnt_off0000e714.bin
dc8d4fcde273e819e694106fcefe4080dc214296ef533e71b531ef7b1a5182b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE714 14080 bytes
font_02_sfnt_off00011475.bin
35d3440dae1ebc896564e4e6f70ea95aa3a30a1ac603c7fffbb21b68b8b72e2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11475 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.