Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e2b58fb8a8b4264…

MALICIOUS

PDF

35.6 KB Created: 2020-09-02 08:58:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: abcfc715e0f8cd084d51a282f2ffef43 SHA-1: 329c77dc0e1dbd8e29bd54c2a459280a9b462ff1 SHA-256: 3e2b58fb8a8b4264e07f5390fa29725b424e2c1f0de7744412143fee45e37dba
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing a malicious redirector link and a large number of external links, suggesting a link farm for SEO manipulation or to obscure malicious destinations. The primary malicious URL identified is https://ttraff.cc/pify?keyword=basira+badia+2. The document body contains garbled text but also includes the same URLs found in the heuristics, reinforcing the link-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=basira+badia+2
    • https://cdn.shopify.com/s/files/1/0436/0057/6669/files/7987953000.pdf
    • https://cdn.shopify.com/s/files/1/0437/2188/3816/files/psd_wine_bottle_mockup_template.pdf
    • https://cdn.shopify.com/s/files/1/0431/3723/7146/files/vuwesitutabuzowutuz.pdf
    • https://cdn.shopify.com/s/files/1/0432/7899/1518/files/jelegusojom.pdf
    • https://static.usrfiles.com/ugd/ee9d3f_6ff63f0febc048dfbfede7317fa3100a.pdf
    • https://static.usrfiles.com/ugd/062c90_f130bf2ff48c49e7a838bd7172596688.pdf
    • https://static.usrfiles.com/ugd/b0c717_2632320c4acc4f2999588cde00ccf438.pdf
    • https://static.usrfiles.com/ugd/5be868_f778c84f4875480e94c3dcb2dc701557.pdf
    • https://static.usrfiles.com/ugd/7ff653_a62366d8404b4ea2a1eb1f9467051fed.pdf
    • https://static.usrfiles.com/ugd/b48b60_52ae366011bc4f809d565233b031c31d.pdf
    • https://static.usrfiles.com/ugd/9e53d4_4fae5eae909a43179ea0df550678811f.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc315ba13a37423eb33f7e721aefa94c.pdf
    • https://static.usrfiles.com/ugd/9219f8_f4138839ef494074be1ef4923c4fdabb.pdf
    • https://static.usrfiles.com/ugd/b8c837_db9b540fbbe147f8a512187bec583164.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043ce.bin
2e77a4a4a1254ce75db632934dad150b96781a965d2b256346f3c89dabba8b2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43CE 4484 bytes
font_01_sfnt_off000052f4.bin
af945cf48e815cf1800127baa52036eff94202522ce1b0b57fd877d2c6c3a51f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52F4 9632 bytes
font_02_sfnt_off000073f8.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73F8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.