Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c4b49ecc0781f0a…

MALICIOUS

PDF

43.0 KB Created: 2020-09-05 01:01:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2e3bf970a953b8cfa51a6516fa5aaccd SHA-1: 5bfde6b9b31a32c32d3c3eea2a4403da0ed704c2 SHA-256: 3c4b49ecc0781f0a9e608c932dc38759d187bf2b3e54e085022ce410578eaf88
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm designed to redirect users to potentially malicious content, as indicated by the critical PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The primary malicious URL identified is https://ttraff.cc/wix?keyword=adiga+adiga+telugu+audio+song. The document body, though heavily obfuscated, contains this URL and appears to be a lure related to a song title.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9483

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=adiga+adiga+telugu+audio+song
    • https://cdn.shopify.com/s/files/1/0438/5233/3206/files/48948139570.pdf
    • https://cdn.shopify.com/s/files/1/0434/5964/1496/files/administrator_duties_and_responsibilities_list.pdf
    • https://cdn.shopify.com/s/files/1/0429/6785/9359/files/balance_sheet_schedule_6_format.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/45366335679.pdf
    • https://static.usrfiles.com/ugd/764aaa_46f99380a4e44045abf36c86539ad4c1.pdf
    • https://static.usrfiles.com/ugd/b8c837_b7fc493d645d4e258e8e312978b99f82.pdf
    • https://static.usrfiles.com/ugd/c0fca2_87582876eaf6475580eedab06e0208c3.pdf
    • https://static.usrfiles.com/ugd/63f22d_38fca31daeda4472b345afe79d83ed05.pdf
    • https://cdn.shopify.com/s/files/1/0447/2979/4713/files/baixar_livro_after_5_em_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0427/6197/8023/files/50298078053.pdf
    • https://cdn.shopify.com/s/files/1/0436/4291/2926/files/jofibikonudedodevikefov.pdf
    • https://cdn.shopify.com/s/files/1/0434/7399/3890/files/annabac_2020.pdf
    • https://cdn.shopify.com/s/files/1/0448/0414/5309/files/alphabet_in_english_pronunciation.pdf
    • https://cdn.shopify.com/s/files/1/0428/7958/2374/files/cub_cadet_super_lt_1550.pdf
    • https://cdn.shopify.com/s/files/1/0433/0291/2158/files/enter_the_gungeon_shellegun.pdf
    • https://cdn.shopify.com/s/files/1/0431/2816/0417/files/vimufedowifawunaseb.pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005044.bin
4a33ce63df210661bc6cced4ff51186be3875fe67ae15cdca31b85c017ae8a0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5044 4884 bytes
font_01_sfnt_off000060f4.bin
cc9173e67505a363e6e1d3bdc37b2a97634605634718b9db60db06346b61c44d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60F4 12928 bytes
font_02_sfnt_off00008aca.bin
001d00114279cda904ec87ee5caf81ece5266ef333c342f0ca5ce216f4908131		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8ACA 18776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.