Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc976299987c63af…

MALICIOUS

PDF

44.9 KB Created: 2020-08-30 11:39:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c35caa8e8364fe1e06bce4e273c9ee3f SHA-1: b0df516100a2719be1f3a67708ae188a0df88365 SHA-256: bc976299987c63afe6a41c8184124904ddc00925eb23c9dd6ef9d47fc2fc70ed
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as song lyrics, aiming to trick users into clicking it. The link leads to 'https://ttraff.ru/wix?keyword=imagine+dragons+it%2527+s+time+lyrics', which is flagged as malicious. The document also contains a large number of links to other PDFs hosted on Shopify, likely part of a link farm to improve SEO for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=imagine+dragons+it%2527+s+time+lyrics
    • https://cdn.shopify.com/s/files/1/0429/8699/5863/files/the_economist_magazine_2020_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/6649/8965/files/56293282136.pdf
    • https://cdn.shopify.com/s/files/1/0450/4626/8054/files/school_principal_interview_questions.pdf
    • https://cdn.shopify.com/s/files/1/0429/3728/6815/files/geometric_sequence_and_series_worksheet_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0431/3183/0421/files/wondershareelement_ocr.pdf
    • https://cdn.shopify.com/s/files/1/0431/3461/5708/files/gamumopunojelidawitupo.pdf
    • https://cdn.shopify.com/s/files/1/0432/6172/2788/files/unity_alpha_mask.pdf
    • https://cdn.shopify.com/s/files/1/0434/7189/6736/files/parbolas_de_jesus_cairbar_schutel.pdf
    • https://cdn.shopify.com/s/files/1/0431/2920/8988/files/23413381451.pdf
    • https://cdn.shopify.com/s/files/1/0428/3770/4867/files/36280568500.pdf
    • https://cdn.shopify.com/s/files/1/0440/6778/2821/files/69941271747.pdf
    • https://static.usrfiles.com/ugd/353d00_e788014615f34c91975d7c55e944f2f1.pdf
    • https://static.usrfiles.com/ugd/5de1df_f11580e1a15849aeb2c89ad3571b367e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007105.bin
4d53fe77414deb8030090b29f3a238285a3b67ccfd588b99386de7748ab6744c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7105 5332 bytes
font_01_sfnt_off00008311.bin
6a113a03a637c9793c01e45a91ad71be0d1e2d54416a0a6a06de9784cf2784bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8311 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.