Malicious PDF — malware analysis report

Static analysis result for SHA-256 2376f45ab1e8c13d…

MALICIOUS

PDF

39.4 KB Created: 2020-08-29 12:14:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b36b19d8480abd9528e993f63c66b737 SHA-1: 453ed6ba7e35404ae3b2d498380b2d6ceb45b0fe SHA-256: 2376f45ab1e8c13dfed346ddcf5609094489beb77199b6781729c3be6b34e55a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as 'bathroom vanity plans'. The link leads to 'ttraff.me', a known malicious redirector. The document also contains a large number of embedded links, many pointing to 'static.usrfiles.com', which is flagged as a link farm. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bathroom+vanity+plans+48
    • https://static.usrfiles.com/ugd/b8c837_5b07c5737e394be2a518881186bb99aa.pdf
    • https://static.usrfiles.com/ugd/b8c837_0bdac3d72fea41bc8d36751edac2cd38.pdf
    • https://static.usrfiles.com/ugd/b8c837_2fd837732916455a863ad6b20dd30770.pdf
    • https://static.usrfiles.com/ugd/b8c837_cd9af357b2694a81ad65a61be7d8105b.pdf
    • https://cdn.shopify.com/s/files/1/0433/9662/8641/files/formation_auriculothrapie_lille.pdf
    • https://cdn.shopify.com/s/files/1/0440/0214/8510/files/elemental_shaman_pawn_string.pdf
    • https://cdn.shopify.com/s/files/1/0435/5771/6117/files/wojozelowonuwizewudixoja.pdf
    • https://static.usrfiles.com/ugd/b8c837_f52ec25b35d0407d8f27524e9b91a89d.pdf
    • https://static.usrfiles.com/ugd/b8c837_94edcd628222499db122969ffb686d75.pdf
    • https://static.usrfiles.com/ugd/b8c837_50fe4327597e40628b8655c4b0f2605b.pdf
    • https://static.usrfiles.com/ugd/b8c837_8acef36893594428a8ad566ecad2be34.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a9611631e2c47a1bae29aa0f52696d1.pdf
    • https://static.usrfiles.com/ugd/b8c837_459574c9743243d98399766eae500ad1.pdf
    • https://static.usrfiles.com/ugd/b8c837_ea145fc830984c73b15303f77353c4a6.pdf
    • https://static.usrfiles.com/ugd/b8c837_ca8dce59ae8643be993c3adc33c90af7.pdf
    • https://static.usrfiles.com/ugd/b8c837_2efdc721c5be42a198a14bccc0e9b925.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005845.bin
4a4739c489d815b961de2abf819ccfd163cda0f328d99b004f9c4243761d1fc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5845 5552 bytes
font_01_sfnt_off00006b0d.bin
139d25b06ec8c1691f4d7de4a89f9053237657596a848c0d17f29410e2ba5c2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B0D 10952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.