Malicious PDF — malware analysis report

Static analysis result for SHA-256 a38567c6225c1f17…

MALICIOUS

PDF

42.5 KB Created: 2020-09-07 09:41:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9f32b96f526be0cb047d8be8b81de03d SHA-1: 27d061bf4df1e265313f89567267aef49e6d0c32 SHA-256: a38567c6225c1f171b5612a34de531d392abf11f0434751d014c0f9d9ce26e95
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to other PDF files, a technique often used for SEO poisoning or to obscure malicious redirects. One of the embedded links, 'https://ttraff.club/wix?keyword=bremsweg+bei+50+km+h+faustformel', is flagged as a known malicious redirector. The document body itself is largely unreadable binary data, but the presence of the malicious URL and the link farm heuristic strongly suggest a malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=bremsweg+bei+50+km+h+faustformel
    • https://static.usrfiles.com/ugd/bb05c1_e75621eb86fa4200bcd4d230dbe6b816.pdf
    • https://static.usrfiles.com/ugd/b914b5_104396473b844ff0ad61ef049fc5f100.pdf
    • https://static.usrfiles.com/ugd/5262df_1060637ed2c34ce89187e2b897a7ab34.pdf
    • https://static.usrfiles.com/ugd/b0b521_e5d2e812f28d4f6db3be54f75bd48418.pdf
    • https://static.usrfiles.com/ugd/3e9e83_fc3b5b44d3b3456089e4ff93f4feda65.pdf
    • https://cdn.shopify.com/s/files/1/0431/5817/5895/files/lubenuzukuxorugine.pdf
    • https://static.usrfiles.com/ugd/46429b_818077e305464d3eae5ccbb4445b92fb.pdf
    • https://static.usrfiles.com/ugd/d54300_3c96b3658278434abd021faa19a3f56c.pdf
    • https://static.usrfiles.com/ugd/909b15_dc03b6a8f0a04482b8fa72691ca48499.pdf
    • https://static.usrfiles.com/ugd/50de67_4c2a515d68044b54b082390dabed9c7f.pdf
    • https://static.usrfiles.com/ugd/345929_65c09793a27d4f778ebc311e7284237e.pdf
    • https://static.usrfiles.com/ugd/9ea91e_3d22ec6bf24844c4bdef907d91f5766e.pdf
    • https://static.usrfiles.com/ugd/b91566_65be030eba1e459aa81d74158274f7bb.pdf
    • https://static.usrfiles.com/ugd/e02969_448638f8898d4045ab561887a353bfab.pdf
    • https://static.usrfiles.com/ugd/2b25b5_69026ea6137e4d30a236a8efa4345d77.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000647a.bin
1dfbddfb761b0aaeac10d19c22dc5c83e7d7b4edc5b38a4f587d1e4cb6a71719		 pdf-font-stream PDF embedded font (sfnt) at offset 0x647A 5792 bytes
font_01_sfnt_off00007829.bin
d3beec8efbe1b21fecd00cb8ab248795cf72c782b0ed850cd6d5e67012a7972d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7829 10572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.