Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a811b7559566aca…

MALICIOUS

PDF

52.6 KB Created: 2020-08-30 10:17:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b9234e3b164e61b2b4947713b7f0c08 SHA-1: 7fc6dcfc3335a40d3f0ab4fa22b6670637087147 SHA-256: 9a811b7559566acaa33b81d50ec657d318299c7daad1d695337c8ce134878324
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a large link farm. The embedded URL points to a redirector, and the document body contains numerous links to external PDFs, many hosted on Shopify. This suggests a campaign focused on SEO spam or redirecting users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=hull+break+war+thunder
    • https://cdn.shopify.com/s/files/1/0434/4915/5740/files/97140055691.pdf
    • https://cdn.shopify.com/s/files/1/0440/4169/9478/files/forugowifevejixudoduruwad.pdf
    • https://cdn.shopify.com/s/files/1/0440/6758/6213/files/acupressure_points_in_human_body.pdf
    • https://cdn.shopify.com/s/files/1/0432/5959/2859/files/30848290949.pdf
    • https://cdn.shopify.com/s/files/1/0431/8311/2341/files/bingo_cards_to_print.pdf
    • https://cdn.shopify.com/s/files/1/0465/9642/3845/files/a_m_t_s_full_form.pdf
    • https://static.usrfiles.com/ugd/0f5b72_b3ca99881e0445b2bcdf4e57e5900ca4.pdf
    • https://static.usrfiles.com/ugd/20d83a_2e09364648524685a7c2416c284406ba.pdf
    • https://static.usrfiles.com/ugd/122077_ead1c5c9bb5b44f2ae4f00ad91656172.pdf
    • https://static.usrfiles.com/ugd/834936_18108b3882c341b0ba0f58be64f31929.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed9760caa78041888ba70a56e72639cb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008fd9.bin
db613262f1b2855d687ec65deb72082e4d0c113ff8ab07ba219eeda2edf38e33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FD9 4992 bytes
font_01_sfnt_off0000a0d4.bin
e17615ea80b2757c6b830629bfd52a53593aa25e4264fa44a24f290c9504eea4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0D4 11188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.