Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b2fd30a75628901…

MALICIOUS

PDF

57.8 KB Created: 2020-09-18 00:16:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 030e625d2d7c28346d607796df7ab86f SHA-1: 454eb2b9e61ff9432ab747cffffa133e3a44af8e SHA-256: 7b2fd30a756289010fe4bb6032acaecbaa3d57d72340d4209adcea7e201ec199
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file is identified as malicious due to its structure, which includes an image-only lure and a malicious redirector link. The document body contains a search query related to Minecraft characters, likely a lure to entice clicks. The primary malicious URL identified is https://ttraff.link/wix?keyword=personaje+de+minecraft+como+se+llama, which is flagged as a redirector. The file also contains a large number of embedded links, many pointing to benign-looking PDF files, suggesting a link farm or SEO poisoning tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 1 text block(s), carries a click-outward action, and is only 57 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=personaje+de+minecraft+como+se+llama
    • https://cd989f6b-e6fb-4e63-8718-262b05aa5953.filesusr.com/ugd/e4ff69_82f1970fa2254cf4a49a138949a05177.pdf?index=true
    • https://c7d8947c-44ad-43a2-ba88-362a6cb1890e.filesusr.com/ugd/11b39a_b62b2d43873449dd89f9fa49e0138bcf.pdf?index=true
    • https://02521105-fa98-4d21-8f56-37f07d4c6d7a.filesusr.com/ugd/1a94e8_351410956d684d97ad1f7d02049710e6.pdf?index=true
    • https://ead4847c-fb5b-4b92-b3ec-84dd482e26d1.filesusr.com/ugd/65d6f7_7275a0ff88764eea9ce35983271eb9f1.pdf?index=true
    • https://f0621724-dec7-410c-93ed-5268786721f1.filesusr.com/ugd/6df952_62a7f6a8e3d549169d836512451a0d12.pdf?index=true
    • https://019351ea-44c1-4be8-a2d5-47cceeb28aee.filesusr.com/ugd/3ce946_d363cbacb120431987ca04ea70320dca.pdf?index=true
    • https://e0a5ee86-39b8-4cfc-8d9d-3fc4a5cf7317.filesusr.com/ugd/d902bb_f240da731f854f22b07c69ccdf745a7d.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/0796/5345/files/pdf_booklet_printing_margins.pdf
    • https://cdn.shopify.com/s/files/1/0429/0609/1673/files/59219729088.pdf
    • https://cdn.shopify.com/s/files/1/0428/0428/1511/files/jejij.pdf
    • https://cdn.shopify.com/s/files/1/0432/1371/7662/files/22517800898.pdf
    • https://c98ef715-888c-40fa-948d-05e409150a10.filesusr.com/ugd/681527_5594e0ad9147488dad0ece52c0b38a6a.pdf?index=true
    • https://83bf6d15-ab6a-4e45-ac94-5df1e69d0812.filesusr.com/ugd/717a42_4f842591ce0e459e8f33ffcf9bbecf17.pdf?index=true
    • https://62ef9ce6-6eb9-42c4-a64c-1b4686e905f6.filesusr.com/ugd/44b221_494eb6c874dc4d73b14d4294bade6a73.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000088a0.bin
f35dcff6725c9c284390be2c02490fb90344dd3637c98acecc4d3e5128fcb188		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88A0 5032 bytes
font_01_sfnt_off0000999e.bin
21ac2ce7014f06deb0a28b396b16cf5e90b6731bf73b9a31faaacf3640c865d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x999E 8112 bytes
font_02_sfnt_off0000b560.bin
c9557d91917e40dbb2ce09b7ef560a04a9a832ffe2ebcac6b50408a58351272e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB560 16092 bytes
font_03_sfnt_off0000ca28.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA28 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.