Malicious PDF — malware analysis report

Static analysis result for SHA-256 eae9a38733c9d538…

MALICIOUS

PDF

55.6 KB Created: 2020-09-22 01:57:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b54a82cf150602875731ac98d8e3833a SHA-1: 1fcafa0c1301bbf7304eee43eba3a85f8510fe19 SHA-256: eae9a38733c9d538bf1bc8cb76aabc388cecde82430d95b24e37bd7a4e67be25
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a significant number of embedded URLs, with heuristics indicating a link farm and redirection to known malicious infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.club/wix?keyword=para+que+se+usa+las+comillas', which is flagged as a malicious redirector. This suggests the primary purpose is to lure users to malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=para+que+se+usa+las+comillas
    • http://zukejuv.thefriendshipcentre.co.uk/uploads/1/3/1/4/131437515/1190087.pdf
    • http://files.rosytoesdesigns.com/uploads/1/3/1/4/131409498/xilelaxabedupa.pdf
    • http://files.wanderlusthrts.com/uploads/1/3/0/7/130739142/49c8483a9ec.pdf
    • http://files.kelseysmarina.com/uploads/1/3/0/7/130775498/3c70d.pdf
    • http://files.abingtonpolishing.com/uploads/1/3/1/4/131454034/bipepunuzowugus.pdf
    • http://gigajegi.indiangrovechurch.com/uploads/1/3/1/4/131454172/lovol.pdf
    • http://files.srphotographymelbourne.com.au/uploads/1/3/1/3/131398351/mapomapufi.pdf
    • http://files.our-perspective.com/uploads/1/3/1/6/131606493/4436a.pdf
    • http://files.burnsidecoaching.co.uk/uploads/1/3/1/8/131871994/6230276.pdf
    • https://72a42805-aeb7-4443-b8bb-3faba269e53e.filesusr.com/ugd/6f53d7_fdf9090257184c50b7c7dceadba6bd4c.pdf?index=true
    • https://8ec14ef5-b176-4990-b308-1ed4aaa92632.filesusr.com/ugd/98d33d_a8d9896be614431f9966d25b3b1d9338.pdf?index=true
    • https://36c4c05c-4b01-4797-9f1e-4b98182206e0.filesusr.com/ugd/e3c460_6f0b3684b36d4516b4eab3857113f9c6.pdf?index=true
    • https://5804f943-7c2e-4759-8642-2dfed2a6133c.filesusr.com/ugd/1849a1_0e1bc3bca6634c3685ecef4d604f7171.pdf?index=true
    • https://69c1b85a-845a-473b-97d5-e0114ffcd775.filesusr.com/ugd/a771bd_4e687d1136954de5be39d76d57e364e5.pdf?index=true
    • https://15ffddfd-bece-4e22-b6fa-e5e4fee9a1c1.filesusr.com/ugd/cc089a_c102fc216d214deb92603c9906d6fe9e.pdf?index=true
    • https://8e01efe6-6fa1-45ce-9033-beee2265399c.filesusr.com/ugd/01e791_8024cd552b5b4066bb8fbcc0f48e26b3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://8ec14ef5-b176-4990-b308-1ed4aaa92632.filesusr.com/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007079.bin
4e92a12f8aad83166833cdc909aee7ca6c048f49591fa2169c6cbf3c5cc5cb9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7079 4764 bytes
font_01_sfnt_off000080ed.bin
0fa23acd2886728f2c864817cfe25c51dbfcb50d6176b018f3bb6e8e21fda63e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80ED 5072 bytes
font_02_sfnt_off0000921b.bin
26aedeb63f6a337522aa7cb5367f521ff5d76e20e9d85be785c1ee394f083d59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x921B 12444 bytes
font_03_sfnt_off0000ba3d.bin
80445f2abe94c9d771dd9a4f5b14a7969aca95ead3220a7d882418edf0a4b938		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA3D 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.