Malicious PDF — malware analysis report

Static analysis result for SHA-256 5286f629b6fa3cfd…

MALICIOUS

PDF

52.1 KB Created: 2020-08-31 02:10:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: acefe623ac0b29d554ee2a4adc057f7d SHA-1: 0e696b42d579b3e6ac0eefe09d35cd0b0322c9ab SHA-256: 5286f629b6fa3cfdd84e91e5deec8420becaee83d902b1e3cfce42a5947936f8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/wix?keyword=rigs+of+rods+school+bus+download+link', likely leads to a malicious site. The PDF also exhibits characteristics of a link farm, suggesting an attempt to manipulate search engine results or distribute links broadly. No scripts were extracted, limiting further analysis of the payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=rigs+of+rods+school+bus+download+link
    • https://static.usrfiles.com/ugd/2b3f46_0bd4a6e994d547a9a90812723a313c3e.pdf
    • https://static.usrfiles.com/ugd/83b1b3_48448134a54a4e9ea1cc0e0bc19d2469.pdf
    • https://static.usrfiles.com/ugd/b8c837_9c881a4cdd3a48caac3f3699895b18b5.pdf
    • https://cdn.shopify.com/s/files/1/0433/7873/7310/files/digital_marketing_on_various_social_media_platforms.pdf
    • https://cdn.shopify.com/s/files/1/0434/1042/3960/files/56089319660.pdf
    • https://static.usrfiles.com/ugd/b8c837_a68c19e79ac14cc0a1bd0bc883cb7970.pdf
    • https://static.usrfiles.com/ugd/b8c837_cb947a83038346949775d32229c52603.pdf
    • https://static.usrfiles.com/ugd/b8c837_f700d46583144fc38939bec58969a510.pdf
    • https://cdn.shopify.com/s/files/1/0434/4401/1168/files/dupaberegamowelazarukax.pdf
    • https://cdn.shopify.com/s/files/1/0430/1501/2511/files/yasin_suresi_tefsiri.pdf
    • https://cdn.shopify.com/s/files/1/0452/6263/5168/files/61159745992.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006282.bin
f3308e3ccb4fc1932e2c1ec1b814dd6dc6b616eac2272cb3e101798c2e10c33b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6282 5268 bytes
font_01_sfnt_off0000746a.bin
8c9af6cdfd37778809e5aedcf1f34f70b6c1bd2c85155501499b180a02ee1f35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x746A 13600 bytes
font_02_sfnt_off0000a013.bin
13873d145b8da2256cc9aff7ec32aedf7dd7de0e65fabb376e0f91dd1eea3996		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA013 16196 bytes
font_03_sfnt_off0000b52e.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB52E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.