Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b93ab13cd0788be…

MALICIOUS

PDF

39.6 KB Created: 2020-09-03 02:56:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01b3a4ff0e8730d5fc67b2ce2afcc91d SHA-1: a190c644176fc56aba991b1897c7483126f2d612 SHA-256: 2b93ab13cd0788be789ee3b6c55e819648327280ed3058ad985780c71062a70d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a link farm. The primary malicious URL identified is `https://ttraff.cc/pify?keyword=video+editor+online+no++free`, which is part of a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains references to video editing and the tool used to generate the PDF, suggesting a lure. The presence of numerous links to `static.usrfiles.com` indicates a link farm strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=video+editor+online+no++free
    • https://static.usrfiles.com/ugd/f90bad_92c3c27071304157b0b82c9bb81448bc.pdf
    • https://static.usrfiles.com/ugd/b65acf_7dfeba33ceb142a38e406ddac4234a33.pdf
    • https://static.usrfiles.com/ugd/7e0eb0_dca37f977bb443ea9e02979a75502167.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_0231ae7507e348d7a19c501aa93b20c4.pdf
    • https://static.usrfiles.com/ugd/64f9d2_b9467fe154b74949b7b6fea7f6bcb828.pdf
    • https://static.usrfiles.com/ugd/ddb60a_b047f0d469c749fcab18a576b0fe1adb.pdf
    • https://static.usrfiles.com/ugd/2f3216_29acddbbdbfd4730b964c00c214312f2.pdf
    • https://static.usrfiles.com/ugd/cacfd7_7280a29686d4429dadad7fd9a67a4d27.pdf
    • https://cdn.shopify.com/s/files/1/0430/4361/8965/files/30975021868.pdf
    • https://cdn.shopify.com/s/files/1/0464/7351/1064/files/xuzukikutukadepul.pdf
    • https://static.usrfiles.com/ugd/1849a1_9777db46dfcd41409b7ece7fa34aec7e.pdf
    • https://static.usrfiles.com/ugd/c1615c_c53212ac8c4a4f91a63fe8f8d9490362.pdf
    • https://static.usrfiles.com/ugd/f80014_e4635d75a22c49cabdb1644be1b1d218.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fcf.bin
5402c58df531467dc03f7d86a20c6a210ba1580fdc3782d339b1efdda15d0662		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FCF 4480 bytes
font_01_sfnt_off00006f17.bin
1337f4947bfa435e16956534be6f13ff4d31cd14b581b77b8f718b08c640d4d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F17 10260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.