Malicious PDF — malware analysis report

Static analysis result for SHA-256 2421ccfbd8fd0e11…

MALICIOUS

PDF

54.8 KB Created: 2020-08-30 05:42:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b3d8af47dce65d7294fe0e7b8a15a8a SHA-1: 4fcce115fec28970b41f1a7b3da32709cbb99d81 SHA-256: 2421ccfbd8fd0e1161ab3931eacc802e974c6ce38dc48ce2a9495e07b7ef6859
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a deceptive title and a large number of embedded links, many pointing to a link farm hosted on static.usrfiles.com. One critical heuristic indicates that the PDF links to known malicious redirector infrastructure, specifically 'https://ttraff.ru/wix?keyword=iranian+porn+movie'. This suggests the document is designed to redirect users to malicious content, likely for phishing or malware distribution. No scripts were extracted, and the document body was heavily obfuscated.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=iranian+porn+movie
    • https://static.usrfiles.com/ugd/9219f8_3aa2d93c452541b78d28deed8d808594.pdf
    • https://static.usrfiles.com/ugd/0d089b_a362a3b45efb4b5c9c8d471f9bc965ac.pdf
    • https://static.usrfiles.com/ugd/cac9e4_44a35c173a7a4c499d6333a8191acff1.pdf
    • https://cdn.shopify.com/s/files/1/0434/9440/8354/files/operations_manager_roles_and_responsibilities.pdf
    • https://static.usrfiles.com/ugd/d1c05f_88830e496616473199b6919511c46cb2.pdf
    • https://static.usrfiles.com/ugd/d2751c_5e294945f06e4da7a71eb8ebd125ac69.pdf
    • https://static.usrfiles.com/ugd/409ca8_0d88c3a445f241c6a947f3d47a307dbb.pdf
    • https://static.usrfiles.com/ugd/b8c837_ffdba306e8c349b2bb3b062d0249fb7e.pdf
    • https://static.usrfiles.com/ugd/b8c837_78309560db1647f0b27ad2fabc2e080a.pdf
    • https://static.usrfiles.com/ugd/b8c837_f0df0ede68d24257857ef5e4911b38e9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00009c8e.bin
eec67c2656d60e6f033762cd815081ce42e7966d57e2f17860e615d56d33a864		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9C8E 28836 bytes
font_00_sfnt_off0000665b.bin
3bb943bf13bee6e12c5d4980c4500584d183d60b1840abfeed07c1e360cccced		 pdf-font-stream PDF embedded font (sfnt) at offset 0x665B 4752 bytes
font_01_sfnt_off00007668.bin
11b55b6d17f8db3042c68c6cdf4e565490e7d2c9bd9ac74a47a8ab8a9cfae683		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7668 11352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.