Malicious PDF — malware analysis report

Static analysis result for SHA-256 2354ca9f698ec91e…

MALICIOUS

PDF

46.6 KB Created: 2020-09-01 03:13:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c06d095a1a19426e435d91faea73c382 SHA-1: 4e9a454f48682e09d92c41c8cf2b5dd9d5d64b68 SHA-256: 2354ca9f698ec91edc1ffb35bb6ab299a4e389b0399d0346965951feb25bf22b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. This URL is likely part of a phishing or malware distribution chain. The document body, though heavily obfuscated, also contains this URL and numerous other links to PDF files hosted on 'static.usrfiles.com', suggesting a link farm or SEO poisoning attempt to lure victims. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=girlfriends+guide+to+divorce+season+4+recap
    • https://static.usrfiles.com/ugd/7e0eb0_2297938dcc2f40ddaa92a274e829c8f7.pdf
    • https://static.usrfiles.com/ugd/857e61_398ab03273ba4428ad5c01649054c343.pdf
    • https://static.usrfiles.com/ugd/45e30f_64ebb9232dfa44f1819821f86cc799ae.pdf
    • https://static.usrfiles.com/ugd/f65175_4bcc06edf7c8457e909f818aab5361ce.pdf
    • https://static.usrfiles.com/ugd/b11f6d_66860e5bc9fd470cada4e76e7320f8ff.pdf
    • https://cdn.shopify.com/s/files/1/0429/7634/6266/files/peugeot_307_break_anne_2006.pdf
    • https://cdn.shopify.com/s/files/1/0430/3532/8663/files/parexanusozijapelol.pdf
    • https://cdn.shopify.com/s/files/1/0434/4522/3581/files/sovoduvumidopixoronuminox.pdf
    • https://cdn.shopify.com/s/files/1/0439/0741/6219/files/physical_appearance_and_personality_worksheets.pdf
    • https://static.usrfiles.com/ugd/b8c837_a9006dcd00db4a1ba164894ddcfa0059.pdf
    • https://static.usrfiles.com/ugd/b8c837_a95941689db5425b9f4a0dd5103113fd.pdf
    • https://static.usrfiles.com/ugd/ee9d3f_1ba800f49f7243e9b9e58f804f922a70.pdf
    • https://static.usrfiles.com/ugd/b8c837_947eab0c829a4592a34ce21e14ef09e8.pdf
    • https://cdn.shopify.com/s/files/1/0434/3663/8360/files/76231914089.pdf
    • https://cdn.shopify.com/s/files/1/0437/6225/3982/files/mumamefebevasu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007892.bin
d22c44e4353ba827620fd2cf48171b69f0279f23ec7b0b55b01cf6ac9cfd729c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7892 5500 bytes
font_01_sfnt_off00008b6e.bin
a7a8cc37fe820d58e0ddbf305f2590f15c4775839c8ef3d4892f75c984adf7e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B6E 10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.