Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f3df88ad116b8fe…

MALICIOUS

PDF

40.8 KB Created: 2020-09-08 02:42:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00198f77cce9ca7a071c1e8be284781f SHA-1: e762d8c0f8da3f77a75ed8bd2b792ebf179898a1 SHA-256: 8f3df88ad116b8fe6b663cef08fdf2e883a58b3396972421e821b17f476ff2f5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/pify?keyword=rule+25sa+bilge+pump+manual'. The document body, though heavily obfuscated, also contains this URL and numerous other links to PDF files hosted on cdn.shopify.com and static.usrfiles.com. The presence of a malicious redirector strongly suggests a phishing or scam attempt, aiming to direct the user to a harmful site. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=rule+25sa+bilge+pump+manual
    • https://static.usrfiles.com/ugd/ffe0d3_26c523a471cc4fc8b2b7cb6349390f87.pdf
    • https://static.usrfiles.com/ugd/a771bd_dfb0f34990974a53bdde900e67890b06.pdf
    • https://static.usrfiles.com/ugd/ceb2e8_165323a62bde411e99ba1f5c6e21947f.pdf
    • https://static.usrfiles.com/ugd/b98abb_098466cb8332494fafffbe411966c646.pdf
    • https://static.usrfiles.com/ugd/d1d005_7fa29e4cf0d3473d9d821c06681cc2ca.pdf
    • https://cdn.shopify.com/s/files/1/0435/2301/4824/files/gulewefesosegawazotitituw.pdf
    • https://cdn.shopify.com/s/files/1/0428/8171/2287/files/git_global_ignore.pdf
    • https://cdn.shopify.com/s/files/1/0431/6869/4432/files/54158295126.pdf
    • https://cdn.shopify.com/s/files/1/0431/2521/1296/files/53891704008.pdf
    • https://cdn.shopify.com/s/files/1/0429/5639/0559/files/58589432521.pdf
    • https://cdn.shopify.com/s/files/1/0433/0212/5733/files/femugitasaketoden.pdf
    • https://cdn.shopify.com/s/files/1/0427/7554/3964/files/costing_methods_in_accounting.pdf
    • https://cdn.shopify.com/s/files/1/0432/0945/7828/files/conducta_alimentaria_definicion.pdf
    • https://cdn.shopify.com/s/files/1/0436/9727/5033/files/zedopowesew.pdf
    • https://static.usrfiles.com/ugd/a4e402_a1c43a9def9544e7b870bfa187edde89.pdf
    • https://static.usrfiles.com/ugd/98e2de_2c5e227853de43c3a5e6077e2893d7cd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061eb.bin
e219e2a7ae460f1601d76ee62e8cd39587d8305a9b47cccddc3a884fba5d60e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61EB 5444 bytes
font_01_sfnt_off0000746a.bin
484ce8c106b4e2b14500b25685ed417d5150473467a5fddac49b60b1dfdafa1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x746A 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.