Malicious PDF — malware analysis report

Static analysis result for SHA-256 47683169d0507c2a…

MALICIOUS

PDF

41.5 KB Created: 2020-09-19 09:24:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2c1f412a59d39fea0b21bc19a8124af SHA-1: 891db4ce54ce943fe9bca23f613390721c297855 SHA-256: 47683169d0507c2a6e46b803443433ffae3c8278fd3e47e80c25ef7ba3fd3423
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=apk+editor+download+pro'. This indicates the document's primary purpose is to redirect users to external content, likely malicious. The presence of a large number of external PDF links, many hosted on Shopify, further supports a link farm or redirection strategy. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=apk+editor+download+pro
    • https://cdn.shopify.com/s/files/1/0476/7350/8006/files/hdmi_dongle_usb_device_gopro.pdf
    • https://cdn.shopify.com/s/files/1/0439/1701/7243/files/2946266932.pdf
    • https://cdn.shopify.com/s/files/1/0434/0944/0924/files/jidusapale.pdf
    • https://cdn.shopify.com/s/files/1/0434/5783/9254/files/my_little_pony_coloring_sheets.pdf
    • https://768277f0-e715-4733-acd7-3f8ac2ae0341.filesusr.com/ugd/7a359d_924775a17195495bb92c15a71755a943.pdf?index=true
    • https://9d2d2f62-3b6d-4c2b-99c3-a1605e20e257.filesusr.com/ugd/decf6f_d1d4c127257b43cabcac2ba7ccb0b750.pdf?index=true
    • https://b9a68374-21c1-4cef-a4cb-bfbf0f68f09c.filesusr.com/ugd/ee6770_362a9500b144417aa9f9ebd0a99c460c.pdf?index=true
    • https://b0a0a184-de40-4cb1-ac0d-4a0a83a7283f.filesusr.com/ugd/3f8d85_689a392b22bc4992bae7c84317dc1fb6.pdf?index=true
    • https://a613e116-7e0b-47a7-bba6-95dff7468698.filesusr.com/ugd/ef253e_35d24bdd43b54507bc9fc4c9a8c81ccd.pdf?index=true
    • https://4fb66320-d77b-4831-9913-862fe55970d3.filesusr.com/ugd/79e0dc_65e023b8166f4ec29a042a3b1031f6f2.pdf?index=true
    • https://f7c55030-910f-4368-8094-d33e27b7ec50.filesusr.com/ugd/a43ec6_8561c4fb8f994d059bb5abf80edb1c57.pdf?index=true
    • https://5ccb75e2-1fb6-43f5-8088-4239506a71f6.filesusr.com/ugd/a4ea6c_0a58374113ee48cb99a2fdc9dee66dd5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006492.bin
db3675a5f6f0e5e1e29acfcf24c4f8b36ea2330082c9d00e2d400d535d23e1eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6492 4920 bytes
font_01_sfnt_off00007571.bin
c3a61a686d1a3b9ef809e52db299c038855a8a554cc81624f41af682563b9b64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7571 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.