Malicious PDF — malware analysis report

Static analysis result for SHA-256 a33c7c492ebb6033…

MALICIOUS

PDF

47.9 KB Created: 2020-08-29 21:59:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 98e4905fd6ba8c2603b07898a2de7a6e SHA-1: 37a633257f9cbaf111b84e0f4cf1ac88dc8b0266 SHA-256: a33c7c492ebb603350efb53a0ba6031e841495f0292d49fc40bd392e2d587231
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious due to a high number of embedded links, with one specifically identified as a redirector. The document body contains garbled text but also includes the suspicious URL, suggesting a lure to external malicious content. The presence of numerous links, including a redirector, indicates a likely phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=efetue+as+seguintes+adi%25C3%25A7%25C3%25B5es+de+polin
    • https://static.usrfiles.com/ugd/e5cbe5_700cfc27152f473ba449e7d98d5b04f9.pdf
    • https://static.usrfiles.com/ugd/8ab72e_4082834ec14d45da921e3455db0bb93f.pdf
    • https://static.usrfiles.com/ugd/10b11f_ec3525ea4fdf46c88783b6164b260d04.pdf
    • https://static.usrfiles.com/ugd/ea2f88_1ca5e143d6b243a3b25c87ea24258ae7.pdf
    • https://static.usrfiles.com/ugd/b8c837_24af61ff99ee4c579112b7be2c8b60af.pdf
    • https://cdn.shopify.com/s/files/1/0431/5539/0630/files/bilingual_spanish_english_books.pdf
    • https://cdn.shopify.com/s/files/1/0444/5192/2087/files/manual_cade_simu_2._0_portugues.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/40035930655.pdf
    • https://cdn.shopify.com/s/files/1/0461/9668/6997/files/lightroom_presets_free_zip_dng.pdf
    • https://cdn.shopify.com/s/files/1/0435/6410/5886/files/12958688568.pdf
    • https://cdn.shopify.com/s/files/1/0430/9018/2304/files/wunegewugukuza.pdf
    • https://cdn.shopify.com/s/files/1/0463/3342/7873/files/3983258574.pdf
    • https://cdn.shopify.com/s/files/1/0434/0937/5383/files/bijasizegokinegi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000668e.bin
f8379122cd70cfc74db4d0708d2608ef9133a3d7874c802d8c8e2294f3ac5f25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x668E 5468 bytes
font_01_sfnt_off000078fd.bin
cd519351b6485e6301141aeb1d9344c66f317f07ec3c502cb22a979488be859d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78FD 19164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.