Malicious PDF — malware analysis report

Static analysis result for SHA-256 500cc0ef5a238a17…

MALICIOUS

PDF

36.0 KB Created: 2020-09-19 21:52:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9c7154b1a14aa975e1e6f32114fefd9 SHA-1: 3ef510fdd333d9099b838d7f6980f5e4902c7e79 SHA-256: 500cc0ef5a238a17d3e137d4ae2b854b72cb8ed3fc311d44efaba3f4861d5102
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a link farm. The embedded URLs, particularly the one pointing to 'ttraff.link', suggest a phishing or malware distribution attempt. The document body, though partially corrupted, contains a URL that matches the suspicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=devil+outfits+ideas
    • http://files.rone.studio/uploads/1/3/1/3/131379266/gopijiwupevutekifari.pdf
    • http://files.aminuteforannmarie.com/uploads/1/3/1/3/131379545/gipabefesew-pefanirotomati.pdf
    • http://files.mmewallden.com/uploads/1/3/0/8/130874583/8bcd51.pdf
    • https://dc1b85c7-a9d9-408c-a9f4-9ff5f035dc22.filesusr.com/ugd/76de1a_89b03cc644d64032bfbc44c7705c2c40.pdf?index=true
    • https://d6423db2-4257-4d71-8781-b855440fe8d8.filesusr.com/ugd/ede58b_71f43c716d5047269062ffd81577d50f.pdf?index=true
    • https://f70243ae-092f-4a57-b5f5-f379aa35d821.filesusr.com/ugd/04e6f9_ca1d768e7723443ab6979b11c20b8c5d.pdf?index=true
    • https://a1a7b381-89f3-40a3-9ee3-9ea08b796506.filesusr.com/ugd/03f576_9b4d5a4024e44b70806f878d9389f3f1.pdf?index=true
    • https://cb06d98b-665f-4ed5-a610-03bf4c3cee3e.filesusr.com/ugd/9b7d8a_a306c10117a94cb694a6fa01d6571d9e.pdf?index=true
    • https://feaac053-f2ac-439b-902e-ec8f5b570a4c.filesusr.com/ugd/b0c8dc_623e40cf642548b288781e39ce8c7e46.pdf?index=true
    • https://b565893f-c408-4559-b9bc-9fce1f859c52.filesusr.com/ugd/6dcf04_3129e132b9334983a7cc3a183f4952eb.pdf?index=true
    • https://7411fd4c-c797-437f-a949-e280e671d225.filesusr.com/ugd/8a419d_e63d1be044c24f18ba4bba2f9b7af0a9.pdf?index=true
    • https://0535760b-3b65-4877-bf07-a24a11247e5c.filesusr.com/ugd/a7074a_6ef58a9d699f495d85702a05140f70f4.pdf?index=true
    • https://8695907e-47cd-4dc6-a4f9-d4ca5dc2a3d1.filesusr.com/ugd/fe0276_890645ac91784a959addbdb4d9b84c1f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f5a.bin
cc0f99cd2b4256f2d80da0e1eb940be4febbe4788038b64357d225cff8130426		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F5A 4864 bytes
font_01_sfnt_off00006008.bin
1db2dd3668fa35d97a8fd9e9c1f2076a02069215deb5b1aec2cbbfec24bea6f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6008 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.