Malicious PDF — malware analysis report

Static analysis result for SHA-256 76cbd37ed39ec263…

MALICIOUS

PDF

44.0 KB Created: 2020-08-31 11:47:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf6b7b5a23c5b00b60aa573072080b25 SHA-1: 00f23df6e1763db7cacbea4f5ec48936c56d181c SHA-256: 76cbd37ed39ec263f289d9af395a125afcb87de9d64eef574314ff3f6efdb4d2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One of these links, https://ttraff.cc/wix?keyword=dinamicas+de+grupo+para+mejorar+el+c, is identified as a malicious redirector. This indicates the document's primary purpose is to lure users into clicking malicious links, likely leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=dinamicas+de+grupo+para+mejorar+el+c
    • https://cdn.shopify.com/s/files/1/0430/3929/3593/files/pepilutirovadow.pdf
    • https://cdn.shopify.com/s/files/1/0430/6275/5490/files/mi_box_android_tv_walmart_canada.pdf
    • https://cdn.shopify.com/s/files/1/0431/6463/1195/files/pitogelumarexewoduxe.pdf
    • https://cdn.shopify.com/s/files/1/0433/9482/6405/files/random_real_address.pdf
    • https://cdn.shopify.com/s/files/1/0432/0962/1664/files/baritone_acoustic_guitar_plans.pdf
    • https://cdn.shopify.com/s/files/1/0428/6955/5356/files/fogekozoranejuduzo.pdf
    • https://cdn.shopify.com/s/files/1/0431/5863/4658/files/50874132323.pdf
    • https://cdn.shopify.com/s/files/1/0436/9701/2890/files/pelenigafetoputakonag.pdf
    • https://static.usrfiles.com/ugd/b8c837_6a5f2dd4af0e47188c580170f612d5ce.pdf
    • https://static.usrfiles.com/ugd/cf79db_35857f1f5b0a4ad6aa67200db627e35c.pdf
    • https://cdn.shopify.com/s/files/1/0429/6137/1290/files/49886566803.pdf
    • https://cdn.shopify.com/s/files/1/0429/6078/1465/files/31372084155.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b79.bin
2327fa8357a1aa9ef783cd595905837ae7c040e9993b95929ef39fc569f1d0a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B79 5468 bytes
font_01_sfnt_off00007dfc.bin
c0c92ecd6159a19b8de1dfd3dffa87a0dc9ec12f71fc37eb0a4935d8ca427ea6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DFC 11076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.