Malicious PDF — malware analysis report

Static analysis result for SHA-256 861f42aca1e5458c…

MALICIOUS

PDF

43.7 KB Created: 2020-08-31 13:14:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aee5c2a4b5f27afb891dc3769bcadc81 SHA-1: 3d34db91325cd7af3875358c4759ee0d86178e2f SHA-256: 861f42aca1e5458c45b4037f1cd22d786a4d333d5a2b776cee0196db6eaf2d53
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious due to a high number of embedded links pointing to a redirector. The primary malicious URL identified is https://ttraff.cc/wix?keyword=la+hija+de+lucero. This indicates a link farm attack pattern, likely intended to lead users to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=la+hija+de+lucero
    • https://cdn.shopify.com/s/files/1/0433/3902/2485/files/25875072874.pdf
    • https://cdn.shopify.com/s/files/1/0435/9382/6467/files/17675598985.pdf
    • https://cdn.shopify.com/s/files/1/0434/4017/7308/files/spielplan_bundesliga_saison_18_19.pdf
    • https://cdn.shopify.com/s/files/1/0434/8005/5958/files/3558228329.pdf
    • https://cdn.shopify.com/s/files/1/0432/3577/0535/files/kedesulapixode.pdf
    • https://static.usrfiles.com/ugd/2e4eb4_d4618246944a41e8972849366f91a92f.pdf
    • https://static.usrfiles.com/ugd/c63dba_80253e54b2ce4a42a786ce101b540392.pdf
    • https://static.usrfiles.com/ugd/289c5e_cbb3435cf7894edba87646d346479679.pdf
    • https://static.usrfiles.com/ugd/b8c837_27adc5cc3eed4076be5d6a00517034c0.pdf
    • https://static.usrfiles.com/ugd/b8c837_de1f308bf5e34aafbe3b8548f13ecdf3.pdf
    • https://static.usrfiles.com/ugd/b8c837_bfbe03bef4f94b789c901e4f3cd1ffa9.pdf
    • https://static.usrfiles.com/ugd/b8c837_de06e31410784dde8635aea42a71b47c.pdf
    • https://static.usrfiles.com/ugd/b8c837_fde0e5f9ecf94f0f8fa19f126ef7d74a.pdf
    • https://static.usrfiles.com/ugd/3b0c81_fc274c8fb04f4ac183ccf6fbdb6fc2fa.pdf
    • https://static.usrfiles.com/ugd/0049ca_eca86a90444f48b086fdc081f9ba0ce2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061f1.bin
4756ffe873f62a56d1272e49232373ad7fd4ebad057a4ac252d7f2c7798a51d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61F1 4864 bytes
font_01_sfnt_off00007273.bin
795fdafde7acab4ecd0f2e60382cc35de0feca8098daaa195ccd4f26652dad6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7273 2376 bytes
font_02_sfnt_off00007bdc.bin
51b7c8fc76dd4534d1f0f425107522a9f67462a84335bb2719dee81913a1c4e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BDC 11712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.