Malicious PDF — malware analysis report

Static analysis result for SHA-256 9345174740aa999b…

MALICIOUS

PDF

52.6 KB Created: 2020-09-22 00:13:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 99ca2ae426532ec675c827f2c2a2dfd4 SHA-1: 0b155a0cf8dad5ec1e2f3b34bfe57188becdeab0 SHA-256: 9345174740aa999b46202d426928cf68fa278c054dc171872b2fe129c9554c0e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a critical redirector link pointing to malicious infrastructure. The embedded document body text, though corrupted, contains the string 'Summoners war fami account' and the malicious URL 'https://ttraff.link/wix?keyword=summoners+war+fami+account', suggesting a lure to a phishing or scam page. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=summoners+war+fami+account
    • https://62130157-07f7-4dd0-ac5b-9a1625e769e5.filesusr.com/ugd/3be3a7_5e936e96aba447cbacb88f722eff166a.pdf?index=true
    • https://1ee4a9d4-30df-4c55-9f90-d7add47ac250.filesusr.com/ugd/2813e2_1aa277561561434496bd739b8ce0bb0b.pdf?index=true
    • https://927d1451-e47b-4fbf-9833-56bf13d4d360.filesusr.com/ugd/edb4a7_e787f3eb8fc6487da281b6c44179ce55.pdf?index=true
    • https://a07f0b46-5808-4ce8-9712-9fcc91cbf0ed.filesusr.com/ugd/930050_51d594595cbf45ca800c0d31bf2a308f.pdf?index=true
    • https://2518fc60-32de-4557-aadc-892f3d92db65.filesusr.com/ugd/65b209_8e5fb07c096640a0a4f95aa2eec32a76.pdf?index=true
    • https://dbcc6d3e-dfd7-4eec-a0ee-66a8017d98db.filesusr.com/ugd/38955b_9ff40b2e163f49fc8b0109483d0f5f69.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0434/8326/7236/files/4806423766.pdf
    • https://cdn.shopify.com/s/files/1/0434/0852/3416/files/terry_eagleton_ideology_of_the_aesthetic.pdf
    • https://cdn.shopify.com/s/files/1/0433/6533/5190/files/peripa.pdf
    • https://cdn.shopify.com/s/files/1/0436/2692/2146/files/auto_sketchbook_pro.pdf
    • https://951c55c5-d759-4ce6-850c-469582136f18.filesusr.com/ugd/418e76_0667fcc6bdde440d9fd69b777475e399.pdf?index=true
    • https://2526437e-9eea-4d1b-a81c-abb964dd4d43.filesusr.com/ugd/cb2bed_6d12a7c907dc4920baa578b83a488a45.pdf?index=true
    • https://27aa568f-7859-4885-8dfa-2d1586b718e5.filesusr.com/ugd/d8966e_1b6581d65b934f60afb0d26a0a92ea5a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005faa.bin
0eac1552a6a0cc8d6d43e14f5c157d052ff2bf21460314f67a2c213e0a454e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FAA 6744 bytes
font_01_sfnt_off00007091.bin
c00b6f29e4b3bfac91bf8db0ed44c669851c144c4771186ada712c20301956d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7091 5188 bytes
font_02_sfnt_off00008228.bin
fa5ae873ee41c3d305524eceaeeb1ef4ac03fdf0686b45a08dbc56383d4fff9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8228 1592 bytes
font_03_sfnt_off00008a47.bin
2a8fee108ed71f1f6fe46bc1dc61d4741f6f305e649ac41de6acc5706c99d5c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A47 10840 bytes
font_04_sfnt_off0000af64.bin
06b6d92114adeda75af3f96122d26ce5b75c0c67043a3966fe4e60826377f072		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF64 16264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.