Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ac87cdd5a101c8f…

MALICIOUS

PDF

56.4 KB Created: 2020-09-02 19:36:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 255da921a9cc05ad10f8e4e227dcd511 SHA-1: ea12d58b7a13369ceb74b7ba007fc94a40a6b649 SHA-256: 0ac87cdd5a101c8fc9acfe758dca281acb7d1fd60acc2251b616b2925f0517c0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.club'. This URL is embedded within the document body, suggesting an attempt to direct the user to a malicious site. The presence of numerous other PDF links, many pointing to 'static.usrfiles.com', indicates a link farm strategy, likely to improve SEO for malicious content or to obscure the primary malicious destination. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=angularjs+template+ternary+operator
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/5b9365_5ae3ac7b718f49f7a43481ef0f836903.pdf
    • https://static.usrfiles.com/ugd/81ef4b_87d0c1e2447049e0b2b601f6334353bd.pdf
    • https://static.usrfiles.com/ugd/52b593_3febaa233aa34f61be1b3f73abe4fbb9.pdf
    • https://static.usrfiles.com/ugd/89064d_92d6bd36d3da4249ad6a2130f45480e5.pdf
    • https://static.usrfiles.com/ugd/a18aa6_57df01d39ec64097a1359892b05d7601.pdf
    • https://static.usrfiles.com/ugd/b8c837_9ff3a7138cc3429ea17e92826c9049c5.pdf
    • https://static.usrfiles.com/ugd/1c8c1e_e7e2bea5d10847e4afc477f320aacc1c.pdf
    • https://static.usrfiles.com/ugd/bae363_f90153d56e5a4c37af16b591db426e94.pdf
    • https://static.usrfiles.com/ugd/de3d83_18499973ffae4a3783f9c1a10d77b758.pdf
    • https://cdn.shopify.com/s/files/1/0437/7831/0306/files/76262530845.pdf
    • https://cdn.shopify.com/s/files/1/0432/9232/8104/files/porotox.pdf
    • https://cdn.shopify.com/s/files/1/0432/4684/6107/files/11758517286.pdf
    • https://cdn.shopify.com/s/files/1/0431/6433/6290/files/vemonamesuvu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bb1.bin
6ce5162c499cf69746118a529766591e13fd29dfa80311fbc9ae5b891a108816		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BB1 5304 bytes
font_01_sfnt_off00008dbc.bin
d0580351775abbe7680d8f9cc9b4e215d97741f9cd3d213eb1b0d8e3d4628973		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DBC 15636 bytes
font_02_sfnt_off0000bf3e.bin
e15a1281d5822949f1e77669e824eae5514ae62c72e5676204b82dc78d7785f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF3E 16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.