Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad42bf9ea47d4753…

MALICIOUS

PDF

51.9 KB Created: 2020-10-18 00:04:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ba31c956f83b52c1c20750dadb88c6f4 SHA-1: ccc46f80799099450f302350c498fdcd26eb04eb SHA-256: ad42bf9ea47d47533014d889be239a3b2df2f51145749afe00edf72f271de746
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/123?keyword=tiempos+verbales+indicativo+y+subjuntivo+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on 'uploads.strikinglycdn.com'. The ML classifier also flagged this PDF with high confidence. The presence of the malicious URL within the document body strongly suggests an attempt to lure the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=tiempos+verbales+indicativo+y+subjuntivo+pdf
    • https://zoxuzuxebexot.weebly.com/uploads/1/3/0/9/130969059/mukobuf.pdf
    • https://pagofere.weebly.com/uploads/1/3/1/3/131398194/nujagofabasale.pdf
    • https://jakedekokobara.weebly.com/uploads/1/3/1/3/131381480/3029889.pdf
    • https://keniwuki.weebly.com/uploads/1/3/1/4/131483234/gosibokuvefuj.pdf
    • https://xifobosakup.weebly.com/uploads/1/3/2/8/132815359/d4666c.pdf
    • https://nudojafobedem.weebly.com/uploads/1/3/1/3/131379550/676684.pdf
    • https://babinekisifuve.weebly.com/uploads/1/3/2/6/132696104/magebekopo_raviv_mizoluda_jogefativado.pdf
    • https://gevafitasib.weebly.com/uploads/1/3/1/3/131380901/a7b88.pdf
    • https://xanodupujariris.weebly.com/uploads/1/3/0/9/130969381/taxego.pdf
    • https://uploads.strikinglycdn.com/files/6911ea3a-8f53-4193-9e55-c0b415c6aa1d/30490679913.pdf
    • https://uploads.strikinglycdn.com/files/74f77bb0-5229-4bb9-ad91-987adc81e797/gupunif.pdf
    • https://uploads.strikinglycdn.com/files/11febdf5-a980-40f9-b263-8f1559a3c622/tofebujomoju.pdf
    • https://uploads.strikinglycdn.com/files/abeb0897-ea63-4b3a-b586-aaf0fdcfa00d/nakosuwadufafaton.pdf
    • https://uploads.strikinglycdn.com/files/4c6cb20d-59fd-4066-9dff-4bbfe783b67c/pozidekuwumasisafam.pdf
    • https://uploads.strikinglycdn.com/files/2e748d94-0b23-498b-b1a6-7d86b4eca885/vimakosade.pdf
    • https://cdn.shopify.com/s/files/1/0502/5421/7388/files/siwijanazikugolasezotofil.pdf
    • https://cdn.shopify.com/s/files/1/0440/2728/1558/files/u_substitution_worksheet_answers.pdf
    • https://cdn.shopify.com/s/files/1/0432/8056/4392/files/ramebo.pdf
    • https://cdn.shopify.com/s/files/1/0483/3427/4723/files/43513817999.pdf
    • https://cdn.shopify.com/s/files/1/0498/9331/0631/files/honda_ecm_2800_manual.pdf
    • https://cdn.shopify.com/s/files/1/0486/1345/8080/files/texas_fishing_report_2020.pdf
    • https://cdn.shopify.com/s/files/1/0467/7756/5337/files/2_period_rsi_pullback_trading_strategy.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007303.bin
cc0fa8620b12c5649e1f38ef6307585a25efdd4d3d9ac6763b9dfb47d95e06f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7303 5628 bytes
font_01_sfnt_off00008610.bin
a242b2532b3c15938c1c121971f4e8ae7f96beec650798460e93b04ee457a67d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8610 11072 bytes
font_02_sfnt_off0000aa35.bin
8680b359cba86e2f6e9a78cf8c0f9e51b009e062d62f51157c34cd29f25a410b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA35 16340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.