Malicious PDF — malware analysis report

Static analysis result for SHA-256 dab256fdd5e81a1f…

MALICIOUS

PDF

40.9 KB Created: 2020-09-19 12:57:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 036b8171dade7da8035a2bc536e15666 SHA-1: 49cd65d527b47b2ed1dbc9032c2f072083446381 SHA-256: dab256fdd5e81a1faf60c5f935254d23e0986d1627d7bd4efb17390dd1cec056
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, many of which point to suspicious domains and are likely part of a link farm designed to improve search engine rankings for malicious content. One prominent link, 'https://ttraff.com/wix?keyword=fnaf+1+vr+guide', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting a lure to a potentially harmful site. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=fnaf+1+vr+guide
    • http://kavigeb.shaikheskander.com/uploads/1/3/1/1/131164456/sevumorarepop.pdf
    • http://fazepixin.colegiocumbaya.org/uploads/1/3/1/1/131164250/7b1a00452a.pdf
    • http://kowono.northcoloradomedevac.com/uploads/1/3/1/0/131070458/diroji.pdf
    • http://jerusa.thomasklassen.net/uploads/1/3/1/6/131637014/vuseru_potowima_jonagaxukosud.pdf
    • https://cdn.shopify.com/s/files/1/0430/0318/3258/files/log4net_configuration_examples.pdf
    • https://cdn.shopify.com/s/files/1/0441/2358/6712/files/35712394080.pdf
    • https://cdn.shopify.com/s/files/1/0434/4512/5281/files/87830907267.pdf
    • https://cdn.shopify.com/s/files/1/0463/0400/2210/files/82808888077.pdf
    • https://cdn.shopify.com/s/files/1/0434/6295/1077/files/cgminer_windows_7_32_bit.pdf
    • https://4638cb7d-562e-486d-b77d-9aa121411159.filesusr.com/ugd/eb6612_c5260682c2b74eedba131c146e786c31.pdf?index=true
    • https://eade8b6a-75fe-4ef9-8ea8-fed313f00616.filesusr.com/ugd/f523c3_605c1bc675e44c738a51b10f0bc57067.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062e2.bin
fb7aba3351d022384ce91e082eb0456c024bbf82844b932624f15990c9c7feb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62E2 4932 bytes
font_01_sfnt_off000073d2.bin
68fa822002a6f2978c21d5b9faeb0df6a97966a5234d0e4f8441b2d080458d80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73D2 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.