Malicious PDF — malware analysis report

Static analysis result for SHA-256 8259a49308419778…

MALICIOUS

PDF

40.6 KB Created: 2020-08-17 03:14:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a5c66ea305eea9224da18a9e1041449f SHA-1: afc442dbc5ce5974b14e3e8b5b1bec02206a188c SHA-256: 8259a493084197786f0bbcdc45ac986e79674783fc49c6954976f3463c42eaa0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link that appears to be related to 'Advocare 24 day challenge guidelines'. This link, however, redirects through a known malicious redirector (ttraff.com) to further infrastructure. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external PDF files, likely for SEO manipulation or to obscure the malicious destination. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=advocare+24+day+challenge+guidelines
    • http://files.meatloafprincess.com/uploads/1/3/2/7/132710621/ralevuni_betegi_befozefote_nazewif.pdf
    • https://cdn.shopify.com/s/files/1/0431/1423/4016/files/px_to_pt.pdf
    • https://cdn.shopify.com/s/files/1/0434/4021/0072/files/22983165559.pdf
    • https://cdn.shopify.com/s/files/1/0429/5376/9123/files/android_studio_3._4_for_mac.pdf
    • https://cdn.shopify.com/s/files/1/0435/8602/7677/files/67221822769.pdf
    • https://cdn.shopify.com/s/files/1/0428/7689/5398/files/45557354748.pdf
    • https://cdn.shopify.com/s/files/1/0431/8537/3333/files/26523199064.pdf
    • https://cdn.shopify.com/s/files/1/0438/0891/5613/files/bidisa.pdf
    • https://cdn.shopify.com/s/files/1/0430/5757/8138/files/kobozeji.pdf
    • https://cdn.shopify.com/s/files/1/0439/7072/3998/files/cirrhose_dcompense.pdf
    • https://cdn.shopify.com/s/files/1/0437/7624/5922/files/90749859104.pdf
    • https://cdn.shopify.com/s/files/1/0429/9220/5978/files/fekewokojelejakezeloj.pdf
    • https://cdn.shopify.com/s/files/1/0434/5335/0055/files/paripifisanigewok.pdf
    • https://cdn.shopify.com/s/files/1/0431/1141/5965/files/vexitagubogemurijabivobop.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f56.bin
80af91875bfe9d9c7d764a5e8c9663e76226cde46bc68b3094113fb089c0a48b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F56 5572 bytes
font_01_sfnt_off00007253.bin
704c6d676488e6054a86f2e0e2e2fce1683962e8aea1267498503f07fdccc97d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7253 10228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.