Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3f1c24acba3a80c…

MALICIOUS

PDF

34.7 KB Created: 2020-09-18 06:53:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a508d943cb0e42f8583f83f2214b9e2c SHA-1: 6d4ccd14a885d4416c4fd79838283ecdfee7b5ef SHA-256: e3f1c24acba3a80c72627295226fae3af58f78b2df297532146890e09b112d2b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged as malicious due to the presence of a redirector link pointing to a known malicious infrastructure. It also contains a large number of external links, many of which are hosted on file-sharing services, suggesting a link farm or SEO poisoning tactic. The primary malicious URL identified is https://ttraff.link/wix?keyword=dering+hall+nyc.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=dering+hall+nyc
    • https://15836219-2080-4bad-a815-f58a1657118a.filesusr.com/ugd/035627_eb68bf78890e4ba5b2dce2d148d53002.pdf?index=true
    • https://85891517-cc51-48b9-9e3c-cd89a215bb15.filesusr.com/ugd/dec231_f7b783b6e63c409a9710a35eacd5fa6b.pdf?index=true
    • https://74d09c20-1556-4c87-a95a-365fb206bc1f.filesusr.com/ugd/b0c717_9c1830e1f5cd4e738a1c3c2c97f1830b.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0431/0168/3865/files/34052571688.pdf
    • https://cdn.shopify.com/s/files/1/0434/0446/0188/files/mikusowafaledafutuzofo.pdf
    • https://cdn.shopify.com/s/files/1/0427/6623/7852/files/40821469294.pdf
    • https://cdn.shopify.com/s/files/1/0434/3375/4773/files/clown_emoji_copy_and_paste.pdf
    • https://83e50bc0-e75f-421a-add0-988c2bcc27e9.filesusr.com/ugd/7d1dc9_70b17f8d270446abb182f26a0e067be2.pdf?index=true
    • https://010aff41-d22b-4eb1-bd96-17ccb37142d8.filesusr.com/ugd/c1108c_16a9eabbf13048d2b7aa0dabb591b9e8.pdf?index=true
    • https://f760d773-4124-440a-a4a3-b515b5a1795c.filesusr.com/ugd/9edd50_41eb8437680f49698a10c392db485dce.pdf?index=true
    • https://15e484d6-da60-4287-9ecf-fd44edacc4af.filesusr.com/ugd/941881_9a50ba853bde49338822d7d1f7e921e1.pdf?index=true
    • https://38dbb6b1-af2b-4a60-aba2-67d9aa61ce8f.filesusr.com/ugd/95b9ea_27cd8064277a44b2b66552f41eaea9af.pdf?index=true
    • https://2f0be16c-7481-432d-8a6e-e1ad28d0203d.filesusr.com/ugd/b81754_90831bb8a62d4f16b0534c5d3ef00282.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004be6.bin
a2a8e77f8ae0e570d5f639ee96db2e974f9f011a4ae808613f97ee86eb2c6878		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BE6 4984 bytes
font_01_sfnt_off00005ce6.bin
aec2171ac1756c8a76b0705d5a3a555d6a4dfdee9f733d20be6c01adccda4284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CE6 9884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.