Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cf770722a2cebc5…

MALICIOUS

PDF

38.2 KB Created: 2020-09-12 01:45:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03c6de9c9e9f48ab57b18b53e5cfcaec SHA-1: c9109a711560aaf2ae765cbe5fe9fae7cb1fdae0 SHA-256: 7cf770722a2cebc55548570da0eeb50c38addc86c3e3bddccc901c02242cc181
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with a primary URL pointing to a known malicious redirector. The document body text, though partially corrupted, includes the lure 'Free adobe illustrator id card template' and the malicious redirector URL, indicating a phishing attempt. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=free+adobe+illustrator+id+card+template
    • https://static.usrfiles.com/ugd/b8c837_7fdb069ff4f04dcbb37ab1446f3308e2.pdf
    • https://static.usrfiles.com/ugd/b8c837_128d2447e7e54244b1d2e2b62307664e.pdf
    • https://static.usrfiles.com/ugd/b8c837_b51c96207ff748869eea4b0dcbe50a33.pdf
    • https://static.usrfiles.com/ugd/c57cae_8f3116721edd4600a5715b921a8b52f1.pdf
    • https://static.usrfiles.com/ugd/594ae5_e7da36990826400595bdd6d81fc2d77c.pdf
    • https://static.usrfiles.com/ugd/faa7ef_ef5b6d10611148cda6f2d7199b9a411f.pdf
    • https://cdn.shopify.com/s/files/1/0454/6491/2024/files/real_chess_game_apk.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/rixiridujafogidubiba.pdf
    • https://static.usrfiles.com/ugd/a298ce_ede4e3edd8344a1bbcb0b72d848a1e8f.pdf
    • https://static.usrfiles.com/ugd/89363e_97eea195b09a4aa9a5fcf807becc1bbd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057fd.bin
1317c385bc5a092601f3b5805d18c05817a2b5b4579f3cec5e3a014b97c7c0bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57FD 5312 bytes
font_01_sfnt_off000069f2.bin
6d34d482c7385d37adfa52ad5d49cab3b4830910d9ab76056863d8fbbcd54470		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69F2 10048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.