Malicious PDF — malware analysis report

Static analysis result for SHA-256 3cf30a0eeb2414fb…

MALICIOUS

PDF

40.9 KB Created: 2020-08-30 09:12:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b79ffc2b8f4356471fd356456cf8a05e SHA-1: 7df191167ee7dc8c076298946c3c306f5435a382 SHA-256: 3cf30a0eeb2414fbdaa4e2bc455bc86e24007dfd08b04b190c0db82889c2d179
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.cc/wix?keyword=gangstar+rio+city+of+saints+apk+free`. This URL is likely used to host or redirect to malicious content. The document also exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on `cdn.shopify.com`. The ML classifier strongly flagged this PDF as malicious. The presence of a malicious redirector suggests the document's primary purpose is to lure users to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=gangstar+rio+city+of+saints+apk+free
    • https://cdn.shopify.com/s/files/1/0431/9641/6157/files/9321528716.pdf
    • https://cdn.shopify.com/s/files/1/0437/3345/0903/files/jr_furniture_aberdeen_sd.pdf
    • https://cdn.shopify.com/s/files/1/0435/5732/2903/files/wow_classic_cask_of_merlot.pdf
    • https://cdn.shopify.com/s/files/1/0440/5208/6934/files/diagrama_de_gantt_formato_condicional.pdf
    • https://cdn.shopify.com/s/files/1/0433/1926/3397/files/bobaxapadekaduxifilu.pdf
    • https://cdn.shopify.com/s/files/1/0428/4517/5971/files/beautiful_things_chords.pdf
    • https://cdn.shopify.com/s/files/1/0432/5317/0334/files/wefexefusawigu.pdf
    • https://cdn.shopify.com/s/files/1/0429/5481/7690/files/bivigiwukemu.pdf
    • https://static.usrfiles.com/ugd/b8c837_b60745ba57ee4fd8acdf294bf668ee1b.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_b525c66729ef41f9a3a9da4de46de78d.pdf
    • https://static.usrfiles.com/ugd/b8c837_caba378897434a4e9a4c7be3dabc2fbf.pdf
    • https://static.usrfiles.com/ugd/837d34_e64af69607544abf8187229671d1a7dc.pdf
    • https://static.usrfiles.com/ugd/b8c837_9151738f30464518a1a30bcad4501425.pdf
    • https://cdn.shopify.com/s/files/1/0432/6876/7907/files/soncino_talmud_pdf.pdf
    • https://cdn.shopify.com/s/files/1/0440/4133/9045/files/19614444961.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060aa.bin
3652bbe7fe59097c361a3b14d9b716a90b5f6b4e2f6e1736f66386d48c06b47b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60AA 5348 bytes
font_01_sfnt_off00007302.bin
6316f172c713d076470df5bd6a94ba54a10fb9bdfdcf8052ab5f63eb57293875		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7302 10816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.