Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2b8c127d64cb714…

MALICIOUS

PDF

45.8 KB Created: 2020-08-30 07:02:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be9336270ffe59cb88aea3e6c789864d SHA-1: 4d413eb966630e7561e528af33b229703af738d1 SHA-256: b2b8c127d64cb7145b1c615f6b7a9543db795f5696a01df03b33a6d5c0965755
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text related to 'Dell 365 bluetooth driver windows 10', suggesting a lure for users seeking software. The link likely leads to a malicious site designed to exploit or deliver further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=dell+365+bluetooth+driver+windows+10
    • https://cdn.shopify.com/s/files/1/0430/8808/5145/files/birdland_big_band.pdf
    • https://cdn.shopify.com/s/files/1/0433/0412/4571/files/75849614218.pdf
    • https://cdn.shopify.com/s/files/1/0431/1531/5351/files/xisimulisudo.pdf
    • https://cdn.shopify.com/s/files/1/0437/5294/7873/files/clicker_heroes_latest_version_hacked.pdf
    • https://cdn.shopify.com/s/files/1/0437/6815/2216/files/xakukifa.pdf
    • https://cdn.shopify.com/s/files/1/0441/1061/0584/files/logo_quiz_ultimate_level_3_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/8344/0036/files/rorschach_inkblot_test.pdf
    • https://cdn.shopify.com/s/files/1/0432/9232/8102/files/kelafapofekivefopafaxiva.pdf
    • https://cdn.shopify.com/s/files/1/0434/4669/8146/files/tremble_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0437/2817/5265/files/96359044092.pdf
    • https://cdn.shopify.com/s/files/1/0430/5354/7677/files/questoes_de_concurso_administrao_publica_nivel_medio.pdf
    • https://cdn.shopify.com/s/files/1/0432/6768/6556/files/xekoxidele.pdf
    • https://cdn.shopify.com/s/files/1/0428/5782/4419/files/daxefiser.pdf
    • https://cdn.shopify.com/s/files/1/0437/7097/0274/files/53860429113.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000728c.bin
7b526ba99e6eed0c9c2a78e99929cbba23f15cc7b9121fdf38b0455de51489f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x728C 5628 bytes
font_01_sfnt_off000085be.bin
a624d5daf1790a0684873e3b68488c5692d11ab4c587556398e26c2ec1f95c81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85BE 10796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.