Malicious PDF — malware analysis report

Static analysis result for SHA-256 220043e2c37fb2cd…

MALICIOUS

PDF

47.7 KB Created: 2020-09-17 00:13:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b39db04997dade7eb3fb88e4af4f5156 SHA-1: d961d22b37a1993b3cb10b81b66f5cf34facd9fb SHA-256: 220043e2c37fb2cd8cd62260d2eb46ce4cc8d9b6929daf1652c78d46361e5ad3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a redirector service. The document body and embedded URLs suggest a lure for a "bullet force mod apk", likely a scam or malware distribution. The primary malicious URL identified is ttraff.me, which is flagged as a malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bullet+force+mod+apk
    • https://1a5c5f76-7c3c-49e4-9558-0b27c1d1e7b3.filesusr.com/ugd/efb3f0_3c7b16d5968b43bf9761893e33ab613e.pdf?index=true
    • https://ebcf3d5f-c138-473b-8ee8-f373a46117cc.filesusr.com/ugd/fe83c3_2a6eb99b476b4d53a1d08955667eb940.pdf?index=true
    • https://e338e107-af11-4e7c-ac58-3023ac87b2aa.filesusr.com/ugd/682d1c_be11a56debcf49efa841cfac19c1c0ef.pdf?index=true
    • https://ec41ba3d-b99a-45a2-b7e7-e2670943f003.filesusr.com/ugd/e1a791_5715499e2cd14bdb983985870389b450.pdf?index=true
    • https://51b32f0e-e780-4f82-b7b8-17ef98853b5f.filesusr.com/ugd/baef12_022a1731773a44609700ca4ac334838e.pdf?index=true
    • https://6d65c63c-560b-4926-afa0-3e8f571368fb.filesusr.com/ugd/595093_55194e2ede624d32a60e03ed3ed75e59.pdf?index=true
    • https://14474b5d-bdaf-48cd-8842-3e7e0e0bec5b.filesusr.com/ugd/314c35_cf0b18a0bd394debaf4f3d21969c4847.pdf?index=true
    • https://f1da5b09-5836-4f99-8910-8bbc8cdb5aff.filesusr.com/ugd/3ed902_1d9ddba3d607472188c5d4a79df861cc.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0437/2843/7409/files/dokemiga.pdf
    • https://cdn.shopify.com/s/files/1/0433/6992/2714/files/duredi.pdf
    • https://cdn.shopify.com/s/files/1/0447/4735/8362/files/afforestation_essay.pdf
    • https://cdn.shopify.com/s/files/1/0438/9902/7611/files/cgi_information_systems_hyderabad_address.pdf
    • https://cdn.shopify.com/s/files/1/0434/3542/5944/files/34866730683.pdf
    • https://2f501b19-c78b-4fc1-8591-cc18b1b45c16.filesusr.com/ugd/fe83c3_5990d0e8935a4dc0aa554224d45e4fa1.pdf?index=true
    • https://079fc123-92c5-4934-9652-eb73ddd0130c.filesusr.com/ugd/1e11d0_3ba72d10596e4e94a86160071c5a941c.pdf?index=true
    • https://6af0a41e-b4f5-42cd-9eec-07d1460c921b.filesusr.com/ugd/55e2c6_f01e723a527c4527a582798676ccffb2.pdf?index=true
    • https://9ed08613-094f-4149-b35e-7bb888041dfb.filesusr.com/ugd/db80c5_068e12254c3e4473993deea4785e5ada.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000674c.bin
575f0a6e2e37ef5fce7fcd6a55a219ea78baa47ca25911834966a6a4f2050358		 pdf-font-stream PDF embedded font (sfnt) at offset 0x674C 5236 bytes
font_01_sfnt_off00007908.bin
fefff5e23cead1bf674816d5e2db50b5c2c03f16900276bd7986db971de9f5d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7908 10388 bytes
font_02_sfnt_off00009cf2.bin
f283a563ee48c68d0f210b91d059b93f2da97875a4894e08c15e1f8ed5b97a7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CF2 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.