Malicious PDF — malware analysis report

Static analysis result for SHA-256 21c8c62bc79643cc…

MALICIOUS

PDF

42.9 KB Created: 2020-09-06 19:29:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0563573fd0d098f1333ce5c5b6df63d4 SHA-1: b73b892bc3c4d57936f2282efd88fb76aed3e636 SHA-256: 21c8c62bc79643cc65947c02fe5cacb78be2f0934ce2e0cfdcca6216dfd1f5b1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.me, which is likely used to deliver further malicious content. The document body, though heavily obfuscated, contains the same lure text and URL, indicating a deliberate attempt to trick the user. The presence of a large number of external PDF links also suggests a link farm or SEO poisoning tactic to increase visibility.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bheema+song++mass+tamil
    • https://static.usrfiles.com/ugd/eb5a6a_f885ddc03dc34cc09b2cac99a405ff6f.pdf
    • https://static.usrfiles.com/ugd/c34eac_900ad165f7804555af26998fe0c391a9.pdf
    • https://static.usrfiles.com/ugd/09c3c7_66e8c84af6314321922aaa206beaca2e.pdf
    • https://static.usrfiles.com/ugd/20d83a_f78c3a0a016b4f36b83b0d993f9a3984.pdf
    • https://static.usrfiles.com/ugd/46429b_955c8d4d3e9a49e9b5557be8f1f49119.pdf
    • https://static.usrfiles.com/ugd/afbef4_80bb586db5e845e1b2534f7917b93abc.pdf
    • https://static.usrfiles.com/ugd/3e5d97_d75a572783ea43e2bacd25a293149137.pdf
    • https://static.usrfiles.com/ugd/6c98bc_5f9d9f2c63044e2e8518be0b1e35e7ed.pdf
    • https://static.usrfiles.com/ugd/b8c837_e140007085bc436899dd611ba47cae93.pdf
    • https://static.usrfiles.com/ugd/451461_27089457532a4341bf093979af054814.pdf
    • https://static.usrfiles.com/ugd/4cf28d_dddab1ad8dbe4bc7a9eaa922e76abc13.pdf
    • https://static.usrfiles.com/ugd/f3ecbe_bbb32a9336c445799516fd038d08b17e.pdf
    • https://static.usrfiles.com/ugd/268ab1_0ea0818ac82e4be093b50a941746eca9.pdf
    • https://static.usrfiles.com/ugd/c0fca2_d8a72467a558480bb86e12c37a89d36a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054af.bin
fe1e9fa70153ce66a08728e936a376f14b456cc83ba1f045fec97ee9e796cccb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54AF 4840 bytes
font_01_sfnt_off000064fc.bin
536e8fd6b875cd7a50732b99978e29c889869351c35c807d88dd3f502062a4e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64FC 14204 bytes
font_02_sfnt_off000090d6.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90D6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.