Malicious PDF — malware analysis report

Static analysis result for SHA-256 f77e630812f98f1b…

MALICIOUS

PDF

45.6 KB Created: 2020-09-06 20:40:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03bf2855fe6a4b6bbfba316b1766a9cd SHA-1: e84282fa6c9ba10383feeda20eeb573b8b315709 SHA-256: f77e630812f98f1bdb34b8a512eaf07c3468e9ab7f2dfda4977442cb1fac40b9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to a URL that appears to be part of a link farm. The document body, though heavily obfuscated, contains the same URL and a search query related to Android apps, suggesting a lure to a potentially malicious site. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=apps+similar+to+canva+for+android
    • https://static.usrfiles.com/ugd/fef806_6f593306107746908042f51c6e9b10c9.pdf
    • https://static.usrfiles.com/ugd/185c00_dbc1580e31b745e2a504672a080e2993.pdf
    • https://static.usrfiles.com/ugd/66c878_2bdcadd8ae4945c3986951f0529cf987.pdf
    • https://static.usrfiles.com/ugd/b4a829_c0e07f9b5e2b47a2bbe71c6faeddf516.pdf
    • https://static.usrfiles.com/ugd/b8c837_068a811298414bb195d63cb92190107b.pdf
    • https://cdn.shopify.com/s/files/1/0437/2732/3301/files/jotametofopipu.pdf
    • https://cdn.shopify.com/s/files/1/0437/8954/9729/files/57297750627.pdf
    • https://cdn.shopify.com/s/files/1/0430/0813/1233/files/tipos_de_tanques_de_almacenamiento_de_agua_potable.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/31178329868.pdf
    • https://static.usrfiles.com/ugd/4cd51e_560574f7c8914407bc3072566b0c76d6.pdf
    • https://static.usrfiles.com/ugd/c5d40f_91fa0dde1f32458c91fbea96aba3e388.pdf
    • https://static.usrfiles.com/ugd/b8c837_affdca35539d4e3f84b75cf182a391b1.pdf
    • https://static.usrfiles.com/ugd/b8c837_8d20a3fe6cb94fe98d3abbb09b34781c.pdf
    • https://static.usrfiles.com/ugd/74c34a_a063e831dfae43028a9fb0055163c6ad.pdf
    • https://cdn.shopify.com/s/files/1/0462/3587/7525/files/broadcast_receiver_in_service_android_example.pdf
    • https://cdn.shopify.com/s/files/1/0437/5419/3047/files/dust_bowl_map_activity_answer_key.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000740e.bin
fc51f61609604a86ac6363ef32e793a826907617e776ef69597fc399c8627007		 pdf-font-stream PDF embedded font (sfnt) at offset 0x740E 5352 bytes
font_01_sfnt_off00008630.bin
218e5f0e0f30e3a8a5835f1a0fffec200ad20cb5c29a43476e3479c02042f734		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8630 10380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.