Malicious PDF — malware analysis report

Static analysis result for SHA-256 20767bcef032b435…

MALICIOUS

PDF

59.6 KB Created: 2020-08-30 02:25:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6ce05f47d6dc9e5e0bf870459c2779f SHA-1: 578dfa3d9a4419187441ab7eb1e1bd6a46859fd2 SHA-256: 20767bcef032b4355f0c430be741cca96475da8f4bc6c67b4d6f3ccf142ac3fe
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious by an ML classifier and contains a large number of external links, many hosted on static.usrfiles.com. One of these links, https://ttraff.cc/wix?keyword=the+travels+of+marco+polo+the+venetian, is identified as a known malicious redirector. The document body appears to be corrupted or obfuscated, making it difficult to determine the exact lure, but the presence of the malicious redirector is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=the+travels+of+marco+polo+the+venetian
    • https://static.usrfiles.com/ugd/b8c837_4256e1a6ffbf4d08a811cea1e5adb1dc.pdf
    • https://static.usrfiles.com/ugd/b8c837_f0018bb3149a436194e978a19552e0c3.pdf
    • https://static.usrfiles.com/ugd/3826db_28da3f7babec4f1f9e046f4397fd728f.pdf
    • https://static.usrfiles.com/ugd/7ef0dc_f2b7ff1b7ec14916b34f439607c79861.pdf
    • https://static.usrfiles.com/ugd/158fb9_206944d8e21f496bb944f178d72ceeab.pdf
    • https://cdn.shopify.com/s/files/1/0438/0744/1053/files/diy_compressed_air_dryer.pdf
    • https://static.usrfiles.com/ugd/b8c837_e9a201ea9e9b486cbd7d8926f9c12019.pdf
    • https://static.usrfiles.com/ugd/b8c837_442329143f1244b99b68507da90d1fdc.pdf
    • https://static.usrfiles.com/ugd/12745a_a992e41e6439423888297ba30d0914f7.pdf
    • https://static.usrfiles.com/ugd/f1780b_37f0fe00adc14bf0a3bb5e9d47c2c103.pdf
    • https://static.usrfiles.com/ugd/2ac701_207d4db0fe104e6783bccf10d393bc56.pdf
    • https://cdn.shopify.com/s/files/1/0433/8571/6886/files/69803323130.pdf
    • https://cdn.shopify.com/s/files/1/0435/3749/8271/files/free_ux_case_study_template.pdf
    • https://cdn.shopify.com/s/files/1/0429/5383/4649/files/vezupomenofurekojelav.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ac8f.bin
1a4b1c7032cf221a7714aa2e1a405b3e52bc5e58965f7b9e8cfcbdf90426deac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC8F 5264 bytes
font_01_sfnt_off0000be5f.bin
8c752b6f22d353866a0e9699e847ad9235677ce3e757cb8ecad58afdfb76d62c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE5F 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.