Malicious PDF — malware analysis report

Static analysis result for SHA-256 cacfe9ff475a502a…

MALICIOUS

PDF

43.7 KB Created: 2020-08-30 11:08:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf5c046d6591ba785d824666a3922450 SHA-1: 865a81b46d2cbf5873974d7a2ad83b8646f9b961 SHA-256: cacfe9ff475a502ab9cd17bdf5327b30a6d1a3c52899d4da71998d2360cf5138
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though partially corrupted, contains the URL 'https://ttraff.com/wix?keyword=hur+man+bygger+en+hubless+hjul', which is flagged as malicious. Additionally, the PDF exhibits characteristics of a link farm, with many links pointing to external PDFs, suggesting a distribution or redirection mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=hur+man+bygger+en+hubless+hjul
    • https://static.usrfiles.com/ugd/b8c837_6cbaf4432a3240aebeb8cc751c0e4c84.pdf
    • https://static.usrfiles.com/ugd/b65acf_48946ee3fda34797a21246dcd81536ef.pdf
    • https://static.usrfiles.com/ugd/b8c837_2bb73b75561047939d52aa76e6e8a4b1.pdf
    • https://static.usrfiles.com/ugd/b8c837_529951ec6117469db58261daf5e5997e.pdf
    • https://cdn.shopify.com/s/files/1/0431/8609/4248/files/commendable_work_performance.pdf
    • https://static.usrfiles.com/ugd/3fc21f_8d9e2fb4ffc04a0c8e032336b89ec477.pdf
    • https://static.usrfiles.com/ugd/6f7357_011eefc82d8b4be2b4e661c6f6fac8bd.pdf
    • https://cdn.shopify.com/s/files/1/0429/7038/2490/files/midolidabubitafideboweba.pdf
    • https://cdn.shopify.com/s/files/1/0430/9562/1796/files/lososepalawidenoki.pdf
    • https://cdn.shopify.com/s/files/1/0429/0491/2031/files/5616616458.pdf
    • https://cdn.shopify.com/s/files/1/0428/3564/0487/files/rijuxonisarujowasive.pdf
    • https://cdn.shopify.com/s/files/1/0434/9191/7989/files/pilefuzopofaduzizeze.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d0a.bin
3a0ec83fda3811c4381a5ea710fe53632e41aaabdd14b5b1f174ba5394222317		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D0A 5380 bytes
font_01_sfnt_off00007f2c.bin
4b240d0385dfef0acc52a4c9615a724d36b296212e03e2a3d68b5ddd9632b3d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F2C 10228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.