Malicious PDF — malware analysis report

Static analysis result for SHA-256 df974a767f59fcab…

MALICIOUS

PDF

39.5 KB Created: 2020-08-30 01:08:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7ab0cd3f0860301955bf6bca9ae34fc SHA-1: e071714cc19103556a3afc294a8026791f01219e SHA-256: df974a767f59fcabd8d170a8283d19db2dd265aed05dbacaa2c390653ea3f9b5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by an ML classifier and contains a significant number of embedded links. One of these links, 'https://ttraff.com/wix?keyword=iso+9004+pdf', points to a known malicious redirector. The presence of a link farm suggests an attempt to lure users to malicious content, potentially for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=iso+9004+pdf
    • https://static.usrfiles.com/ugd/5fd5c1_e90d647eda924d5ba6e911d8279c9dce.pdf
    • https://static.usrfiles.com/ugd/b8c837_d50b3c1c2f5f4af4af6a03030937864b.pdf
    • https://static.usrfiles.com/ugd/b8c837_f034b80f0d474d84949620da31371891.pdf
    • https://static.usrfiles.com/ugd/b8c837_de9313b406d64784937543534630954f.pdf
    • https://cdn.shopify.com/s/files/1/0428/7945/1289/files/kisezin.pdf
    • https://cdn.shopify.com/s/files/1/0434/4637/0471/files/a_level_economics_revision_guide_edexcel.pdf
    • https://cdn.shopify.com/s/files/1/0433/3335/3627/files/77714284478.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lekutaxawiwasutoxojopelor.pdf
    • https://static.usrfiles.com/ugd/b8c837_5769e1b7c6f04deabef1f2ef0e60a801.pdf
    • https://static.usrfiles.com/ugd/b8c837_dfe740756e4745bbb9da2d2cc664978e.pdf
    • https://static.usrfiles.com/ugd/1c8c6c_05260545214748e99ecbe5640f756857.pdf
    • https://static.usrfiles.com/ugd/ea2f88_3ecaf1887468485e989ff73da2d21df4.pdf
    • https://static.usrfiles.com/ugd/1c8c6c_485ddfe69f66477dbed9c9c9607f0011.pdf
    • https://static.usrfiles.com/ugd/b8c837_b62c544c6b27459db7f4b7e1f6e53453.pdf
    • https://static.usrfiles.com/ugd/b8c837_0b76a687defe4b8bb8b14de33fecf263.pdf
    • https://static.usrfiles.com/ugd/d162e3_c7216ee2a2c54d6f8c9c47b7a1737f15.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ee6.bin
a702ea47b865e7e201c0c871cad1949f9ba817e48be380f9fbe64a3880451d3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE6 5020 bytes
font_01_sfnt_off00007009.bin
d605b421137eed41cce0ba8b7144f0b18581bd4bfb6e16392c7d3928d004a75e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7009 9948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.