Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6b1dc1c337bc757…

MALICIOUS

PDF

43.9 KB Created: 2020-09-07 13:51:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c0e8cfd591b5803c727bef6ab75bce68 SHA-1: 6e7c0c9d46cd45b0291e18fb9ef9171874bb8a68 SHA-256: f6b1dc1c337bc757035a4667cd2e0eecb69c79fbf0770add68112134e8e90098
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised with a keyword-rich title, likely intended to trick users into clicking it. The PDF also features a large number of external links, suggesting a link farm or SEO manipulation tactic. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=brick+breaker+3d+mod+apk
    • https://static.usrfiles.com/ugd/b8c837_879b8725eb8b4873a9972f7b9620de61.pdf
    • https://static.usrfiles.com/ugd/4c3d6a_ea62dac49cd74c72938b33ebec754476.pdf
    • https://static.usrfiles.com/ugd/57c819_c560f6da78d84fc59c07db38dbe247f5.pdf
    • https://static.usrfiles.com/ugd/cc14e4_ad5a7653715b4dc58346ede6017cf3d9.pdf
    • https://static.usrfiles.com/ugd/5e81b9_8c5feab2acf84587af5f880edc8f738b.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_7374134eb9314ff19925e80dfef719cc.pdf
    • https://static.usrfiles.com/ugd/83f04e_b3413d76e1524831b7557bf23512f6ae.pdf
    • https://static.usrfiles.com/ugd/04e6f9_cd0e1bee481b45d38aba91152deaa54f.pdf
    • https://static.usrfiles.com/ugd/b8c837_26cf96e6c3ec4c6eb88ab66abe21ef4a.pdf
    • https://static.usrfiles.com/ugd/02beb7_27d75bed330c49e78e7340f05f4b7451.pdf
    • https://cdn.shopify.com/s/files/1/0434/1760/0165/files/42612956605.pdf
    • https://cdn.shopify.com/s/files/1/0434/0324/7781/files/ts_eenadu_epaper_today_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/6560/6301/files/pilanamobadewilekeso.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005875.bin
dd3973c2eeca095090639a159c97cc6f3e6c58983bd52fbc933734311298f6e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5875 5424 bytes
font_01_sfnt_off00006ad3.bin
2fcbfae9a32b35b7585065e67dd1b306506561b267fc09572daa212c954565c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AD3 10176 bytes
font_02_sfnt_off00008dea.bin
9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DEA 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.