Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab6b6407cedc141a…

MALICIOUS

PDF

37.2 KB Created: 2020-09-02 12:39:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02e2461bc1d69a49f430d2cc4401b38b SHA-1: 39f7674662afff9804b1fe4e273b55a5bda6aaba SHA-256: ab6b6407cedc141ac594888ab78116881a109e6550ed58c836f5fda0ec62e00f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to domains associated with SEO poisoning or link farms. One critical heuristic identified a link to a known malicious redirector at https://ttraff.com/wix?keyword=despicable+me+soundtrack+free. The document body, though heavily obfuscated, contains this same URL, suggesting the primary intent is to redirect the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=despicable+me+soundtrack+free
    • https://cdn.shopify.com/s/files/1/0431/3504/1693/files/fazafibadibitefuri.pdf
    • https://cdn.shopify.com/s/files/1/0432/2469/4942/files/jijapupaxifimivuwobun.pdf
    • https://cdn.shopify.com/s/files/1/0457/4783/0940/files/zadilopusezorinuvojuketed.pdf
    • https://cdn.shopify.com/s/files/1/0472/2422/5957/files/xuzolukupafiditag.pdf
    • https://cdn.shopify.com/s/files/1/0435/9385/9231/files/arjun_reddy_tamil_dubbed_movie_hd.pdf
    • https://static.usrfiles.com/ugd/d32f78_38ef40a935654933badac82848d2a9ba.pdf
    • https://static.usrfiles.com/ugd/2072cd_6ab891da08604c328e6d047cd174d65d.pdf
    • https://static.usrfiles.com/ugd/1a89c8_51dee37234484ce58b9b83948788527d.pdf
    • https://static.usrfiles.com/ugd/b8c837_3d041ea95fc0438da95402990f57da6f.pdf
    • https://static.usrfiles.com/ugd/b8c837_eb823b2bf3bf42fab79ae2377cbac88d.pdf
    • https://static.usrfiles.com/ugd/ecec20_e853544150934dd4a4ce164d1927c914.pdf
    • https://static.usrfiles.com/ugd/02af14_97ad813f71204c6b86b64be55e0f9ec9.pdf
    • https://static.usrfiles.com/ugd/f0f215_6b4faf3c74de4bf98ceb839ecdb1cbab.pdf
    • https://static.usrfiles.com/ugd/b8c837_96f1f79f01ab40d9b0803742480f2cd7.pdf
    • https://static.usrfiles.com/ugd/b8c837_f6dc46405b074502859cef609ce0d915.pdf
    • https://static.usrfiles.com/ugd/fa32a6_e0dfdbc058714c57babba3a1124b140b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052fb.bin
8a429969d39ca823182b6d2ff804e89c39769d835d57074a39d9ab4bde0bc1da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52FB 5504 bytes
font_01_sfnt_off0000659f.bin
278a908beed017ea0b277f974e28c47b50695d51047e7f9b4740f7c9a551cdb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x659F 10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.