Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c306ebcd816ac1a…

MALICIOUS

PDF

45.0 KB Created: 2020-09-08 21:17:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b37e07c7882daf14b23c788f71670f92 SHA-1: 6246d653f430cf9c69d6a50b5a4f05ffd5097187 SHA-256: 3c306ebcd816ac1a91dc90e27cdf65145919d127890f4d586d4ab313f3e404eb
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as information about an Android update. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this, and the ML classifier strongly supports the malicious verdict. The document body, though heavily obfuscated, contains the malicious URL and references to other PDFs, suggesting a link farm or redirection strategy. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=android+one+pi+update+date
    • https://static.usrfiles.com/ugd/b8c837_7a738bd1569b4c1b8ac1690591a78efb.pdf
    • https://static.usrfiles.com/ugd/b8c837_e861cdc6299c4cf8adb30d40da9b057c.pdf
    • https://static.usrfiles.com/ugd/88a84f_1d6b9ff748f7420c9d0834f72f92abc8.pdf
    • https://cdn.shopify.com/s/files/1/0435/3690/8439/files/95407579642.pdf
    • https://cdn.shopify.com/s/files/1/0431/7426/4981/files/49073669214.pdf
    • https://cdn.shopify.com/s/files/1/0431/3976/0295/files/best_high_graphic_android_games_2019.pdf
    • https://cdn.shopify.com/s/files/1/0435/3107/5743/files/1717963063.pdf
    • https://cdn.shopify.com/s/files/1/0465/4333/9678/files/audi_q5_2018_brochure.pdf
    • https://cdn.shopify.com/s/files/1/0429/2182/0313/files/blue_prism_tutorial_download.pdf
    • https://static.usrfiles.com/ugd/f3bfbb_18063c11d8354b2c8c1cd22a00d8d73c.pdf
    • https://static.usrfiles.com/ugd/a2d007_d59cadb2e176461f821e606911719c3e.pdf
    • https://static.usrfiles.com/ugd/e1d58f_cf5cc4003b0143c2b5902b056f9177c7.pdf
    • https://static.usrfiles.com/ugd/83b1b3_1b80decf07f64966ae63c4eec666a9c0.pdf
    • https://static.usrfiles.com/ugd/740d8c_94ce51350503484d9248ebd1fb0c8bd1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007155.bin
dbd5bc4d6ec2db414c9a3269269f046096d66cb4e37a04e74c5255d0b5dc11d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7155 4732 bytes
font_01_sfnt_off00008178.bin
24b71a6eecc12a563e6a29ed2d01c6f645687199a91f141093d264e17cc0ea85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8178 11072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.