Malicious PDF — malware analysis report

Static analysis result for SHA-256 b588bc209e96da4f…

MALICIOUS

PDF

37.3 KB Created: 2020-09-16 01:02:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bbd5ff1cf3c596f79ba0fc686dd01d81 SHA-1: ed5992abfd3972f897ae06e88d754935d5973b64 SHA-256: b588bc209e96da4f9d90b0673efb2f029c28b2cf7e96fd2bae75a2c0045edf52
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file exhibits characteristics of a link farm, containing numerous embedded links. One prominent link redirects to 'https://ttraff.link/pify?keyword=savanna+food+web+examples', suggesting a potential phishing or malicious redirection attempt. The ML classifier also strongly flagged this PDF as malicious. The presence of many external PDF links points towards an SEO manipulation tactic or a method to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=savanna+food+web+examples
    • http://files.staceyharris.co.nz/uploads/1/3/1/4/131437889/7711263.pdf
    • http://veniguk.alliejune.com/uploads/1/3/0/8/130874580/2784933.pdf
    • http://files.windriverwild.com/uploads/1/3/0/9/130969548/gepuwonasomixapovob.pdf
    • http://files.thevirtualink.com/uploads/1/3/1/3/131381802/wewidol.pdf
    • http://files.tdswy.com/uploads/1/3/1/6/131636719/f1cd9b74bde627f.pdf
    • http://wibop.thunderheadstudios.com/uploads/1/3/1/8/131857114/mizibiwajiki-fasujopudilo-tuxutox-fajexe.pdf
    • http://files.theflourishsisterhood.com/uploads/1/3/1/3/131398156/95d18288fa830.pdf
    • http://files.mimimanners.net/uploads/1/3/2/3/132303229/nefukifuvedamiz_xuwuxazibiranof.pdf
    • http://files.minursespac.com/uploads/1/3/1/4/131453054/kunawaje_gekutevator_puzoze.pdf
    • https://static.usrfiles.com/ugd/6f53d7_9637b1b7826341118f7d73cc40b51be7.pdf
    • https://static.usrfiles.com/ugd/440e29_8088803d4574476fb2d885ec773f7823.pdf
    • https://static.usrfiles.com/ugd/7d21c0_953695bc49a14b638a569d84637ffe18.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005492.bin
b5cb8304d5d5ffd4364a98f843ede30804e45a1d6dfd388fff5d24801109f21a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5492 5552 bytes
font_01_sfnt_off0000677c.bin
7a6c862c2b168680912a50c2f9a8ee782efaecdc27207ebbf8fea6a371cd58ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x677C 9860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.