Malicious PDF — malware analysis report

Static analysis result for SHA-256 df1c33f0b6a02de0…

MALICIOUS

PDF

33.9 KB Created: 2020-08-20 20:15:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bffac0fdd5780db3a3b23c6f309792dc SHA-1: 1ce1f3f1af038a498a129fb424e092118b951c9d SHA-256: df1c33f0b6a02de0f064cd1d3baa822940356a62ec10c6da8fda4fa82a8e6cc7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded URLs, a technique often used to obscure malicious destinations or create link farms. One of these URLs, 'https://ttraff.com/pify?keyword=archeage+unchained+pts+how+to', is flagged as a known malicious redirector. The presence of this malicious redirector, combined with the overall structure of a link farm, strongly suggests an attempt to lure users to a malicious website, likely for phishing or malware delivery. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine the exact payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=archeage+unchained+pts+how+to
    • http://files.tzaddi.net/uploads/1/3/2/6/132695416/c791526.pdf
    • https://cdn.shopify.com/s/files/1/0431/7328/1948/files/44271397893.pdf
    • https://cdn.shopify.com/s/files/1/0429/0510/8636/files/23552248992.pdf
    • https://cdn.shopify.com/s/files/1/0436/3422/9406/files/bgv_verification_form.pdf
    • https://cdn.shopify.com/s/files/1/0431/9870/9918/files/35389757086.pdf
    • https://cdn.shopify.com/s/files/1/0429/5039/4019/files/nilafefutizevurugagal.pdf
    • https://cdn.shopify.com/s/files/1/0434/7209/3336/files/gowajevikuvufiteberudu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3779/4204/files/binding_of_isaac_devil_room.pdf
    • https://cdn.shopify.com/s/files/1/0431/4628/1120/files/rexufufiboromokodorufasi.pdf
    • https://cdn.shopify.com/s/files/1/0438/5452/8677/files/xaxukobowapadaniju.pdf
    • https://cdn.shopify.com/s/files/1/0432/6617/9230/files/signals_systems_and_transforms_5th_edition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047ad.bin
2780b17389ed4c5e08f5e4aadfd08f2b96ee0610fd328b0b568d5e95e6e64e37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47AD 5384 bytes
font_01_sfnt_off00005a01.bin
3f3b235ab0580118da0a01e64657912969ff8808692b420a34e5bbd830096282		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A01 9732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.