Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e48e6fe16674916…

MALICIOUS

PDF

45.5 KB Created: 2020-08-31 01:00:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa0855a32a03002d749d0b3c26c00fa9 SHA-1: fffe4bffea2b4c60ce3f6ab391c679c0a3de6924 SHA-256: 3e48e6fe1667491662a894baf0c6cbd631ab9524cad97cbc0eaaf79fe1f48e63
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by a machine learning classifier and contains a significant number of embedded links. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.cc/wix?keyword=honda+service+code+b12'. Another heuristic indicates a large PDF link farm, with many links pointing to 'static.usrfiles.com'. The document body contains garbled text but includes the suspicious URL, suggesting a lure related to 'honda service code b12'. The primary attack pattern appears to be SEO manipulation and redirection to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=honda+service+code+b12
    • https://static.usrfiles.com/ugd/b8c837_bb9c164d9f764af6adca72799d9bd272.pdf
    • https://static.usrfiles.com/ugd/bd5c68_22dea6543ffe4b43aaeddc0fc32d6b03.pdf
    • https://static.usrfiles.com/ugd/7f16bd_e9e44a44f50240afaf9d7c4379b86d38.pdf
    • https://static.usrfiles.com/ugd/b8c837_ca6c945ce8ca462986d5ccd3d3f84bf6.pdf
    • https://static.usrfiles.com/ugd/455f95_df2cefa0fbc848fb820b66c4d1d285db.pdf
    • https://cdn.shopify.com/s/files/1/0427/5293/4044/files/fatamipiwasorumemitedax.pdf
    • https://static.usrfiles.com/ugd/b8c837_f8247b8008014c66982ddd0acc608df6.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd09ff8b39dc45ffbba8d63e1564af44.pdf
    • https://static.usrfiles.com/ugd/f84671_eb76202dcf854f88bae827dffee4fa67.pdf
    • https://static.usrfiles.com/ugd/5be868_77b0e593a0904284a4baee7f904330f6.pdf
    • https://cdn.shopify.com/s/files/1/0440/7597/4821/files/free_printable_writing_worksheets_for_middle_school.pdf
    • https://cdn.shopify.com/s/files/1/0432/0778/6654/files/cerner_millennium_powerchart_manual.pdf
    • https://cdn.shopify.com/s/files/1/0429/2873/4367/files/bubopezeririkemavufi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071d4.bin
1cb475d0431ea4fb87173a6ad51066fd1da7819f5ce8e99949af94c8fc75b901		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71D4 5244 bytes
font_01_sfnt_off000083bf.bin
cd22391d9ced0d5388e5e0496e9328c41438898ff2cb7c1ed9cdd9c6dc47febb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83BF 11208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.