Malicious PDF — malware analysis report

Static analysis result for SHA-256 3fa743a88bb3f06b…

MALICIOUS

PDF

36.4 KB Created: 2020-08-30 23:39:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c2407a8c99c07d655351079b89cfaa70 SHA-1: 375fc4e44a4eb6aa54860e6fe35dbc4c3b8f2951 SHA-256: 3fa743a88bb3f06b061fca8aa2986c68d7308c9607fafdfa333d35a5e165dcd6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=4th+and+goal+game+unblocked'. It also exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on static.usrfiles.com. The document body, though heavily obfuscated, contains the same redirector URL and references to '4th and goal game unblocked', suggesting a lure to trick users into clicking the malicious link. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=4th+and+goal+game+unblocked
    • https://cdn.shopify.com/s/files/1/0433/7106/9594/files/45646240103.pdf
    • https://cdn.shopify.com/s/files/1/0433/4157/8405/files/75879320469.pdf
    • https://cdn.shopify.com/s/files/1/0432/5759/4016/files/fizasonugifugavunuwuzamuk.pdf
    • https://cdn.shopify.com/s/files/1/0431/4755/9067/files/79895557061.pdf
    • https://cdn.shopify.com/s/files/1/0433/7729/5516/files/66478626012.pdf
    • https://static.usrfiles.com/ugd/b8c837_aea42510b00b4a3dbadee64d088213eb.pdf
    • https://static.usrfiles.com/ugd/b8c837_643fd96829174a5bada6054e7027b46e.pdf
    • https://static.usrfiles.com/ugd/b8c837_b19415cbbbb84587b00bd428bcd33622.pdf
    • https://static.usrfiles.com/ugd/48d9a1_beaf1960da744a3d90e4411414d45e36.pdf
    • https://static.usrfiles.com/ugd/b8c837_d15b243ac0b94e89b68fc01888e4e9ed.pdf
    • https://static.usrfiles.com/ugd/f0e51d_f08fb432b1ab4a8490b59aea473a0af4.pdf
    • https://static.usrfiles.com/ugd/67f5f7_d492608ebfe44cd29f4be19991d9aa9f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000502a.bin
0818073558a30a16ef4165a412b834e20ec7c6da81f87c13e2bfa8a56a574986		 pdf-font-stream PDF embedded font (sfnt) at offset 0x502A 5276 bytes
font_01_sfnt_off000061f2.bin
6c1f646ae6f4db2bf372adb19ac468ce4ee086328da74d3de8f0fb73123ad210		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61F2 10384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.