Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1ec08439f77fee8…

MALICIOUS

PDF

42.0 KB Created: 2020-09-19 16:42:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b17f26ffe48e357b1e0b6d3cc4e639c6 SHA-1: ff4c5ce0815cdf6dd4ce0a47442e8d299f474742 SHA-256: f1ec08439f77fee8ab2074faa8d19dcc30122fbb2e1dbbc0fb8550990d8dd7e1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains a large number of embedded links, many of which point to external PDF files. One prominent link, 'https://ttraff.link/wix?keyword=biodegradable+water+balloons+near+me', is identified as a malicious redirector. The document's structure suggests an attempt to create a link farm for SEO manipulation or to direct users to malicious content under the guise of search results. No scripts were extracted, and the document body is heavily obfuscated.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=biodegradable+water+balloons+near+me
    • http://zaxifidud.kashmirweavers.org/uploads/1/3/1/4/131406650/8513321.pdf
    • http://files.silas-house.com/uploads/1/3/1/3/131380728/0a293b781.pdf
    • http://files.planpte.org/uploads/1/3/1/8/131871419/35bead7dd82101.pdf
    • https://54e2cae4-d495-4a22-bda2-8386d308af15.filesusr.com/ugd/8716ab_add0aa4c48504447857384c709f1cee8.pdf?index=true
    • https://732bf27f-9508-4c58-82d0-d8fb01bf6513.filesusr.com/ugd/b361c6_7baa11fb568d4951886f7e98d50bf841.pdf?index=true
    • https://3eed63d4-fa93-4cdf-8635-9ed8948084d1.filesusr.com/ugd/d1fcfc_161cfd78b312454aa9b07bbfa01bcf96.pdf?index=true
    • https://0d9e6537-3130-4746-aea7-c2645db74d5b.filesusr.com/ugd/0582e0_680d2328712f4e36b3ab0c2110483e16.pdf?index=true
    • https://796128e0-bf01-40c0-b175-b90c4f2fd5f8.filesusr.com/ugd/7d2910_f34c6971bd474215a8acc16dc541f88c.pdf?index=true
    • https://70f16eef-1f1d-4d7c-b2cc-ba482e692f17.filesusr.com/ugd/01f9b9_235147076d10432cbaebf33cf1d844fa.pdf?index=true
    • https://93c7583d-f9cc-4857-8bbc-8761d39b3ed9.filesusr.com/ugd/733c1f_207e329703e6488890bcced3e5303613.pdf?index=true
    • https://dad486d6-5f4d-4b97-8d88-988bcc5b1294.filesusr.com/ugd/66f3f9_139d9577f74e4c0cbdc9ca7aee3a23f1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066f0.bin
5480e0144187da068f4d0ab253854059fc45f3b8f49c1127a5afb13797dd7270		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66F0 5424 bytes
font_01_sfnt_off0000795b.bin
4e00beabdbb57b60350d09f4a563ef8135f7aec8e0f52bc42043b59f24e78ef1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x795B 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.