Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f68fea7b2338f96…

MALICIOUS

PDF

56.6 KB Created: 2020-08-31 04:39:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc611dd0939324d1b7a168623bb760c1 SHA-1: a49c0b108c77705919631f1a5faa24ca4efc1bdd SHA-256: 2f68fea7b2338f96cb1ade2644cfd40f0c839f6b18249da44ee61de11ea40e65
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the same redirector URL and a link to a PDF on 'static.usrfiles.com', suggesting a lure to a malicious site. No scripts were extracted, but the presence of a malicious redirector and link farm indicates a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=star+wars+imperial+guard+theme
    • https://static.usrfiles.com/ugd/a2ebd8_4b455363cd8e4312ad953bf4268fabc2.pdf
    • https://static.usrfiles.com/ugd/362633_f3a224a1fbeb4ff6a462c05923ab6925.pdf
    • https://static.usrfiles.com/ugd/963627_321cbd54799945d3bee07612c3684e64.pdf
    • https://static.usrfiles.com/ugd/353d00_39e8f33b34e54be2a80f1d98ea3a942d.pdf
    • https://static.usrfiles.com/ugd/d162e3_8b5d3acfea8940aa850c7a0420d72439.pdf
    • https://static.usrfiles.com/ugd/c1de29_b1e05842bf7e4a7bb166cf94f1feefd5.pdf
    • https://static.usrfiles.com/ugd/c068f8_cd2178063403452695158472511cc11e.pdf
    • https://static.usrfiles.com/ugd/b8c837_3b9e23b4b9934d2db19b0d21ea6496d7.pdf
    • https://static.usrfiles.com/ugd/913720_0149343e841c4101807ae5f314656718.pdf
    • https://cdn.shopify.com/s/files/1/0429/1995/2550/files/42242231772.pdf
    • https://cdn.shopify.com/s/files/1/0433/5170/3706/files/66922869277.pdf
    • https://cdn.shopify.com/s/files/1/0433/6880/8613/files/lososuwepajikubopujak.pdf
    • https://cdn.shopify.com/s/files/1/0431/3343/6071/files/vaxefexizum.pdf
    • https://cdn.shopify.com/s/files/1/0428/0382/2755/files/pathophysiology_of_liver_disease.pdf
    • https://cdn.shopify.com/s/files/1/0434/1520/8085/files/cardboard_pinhole_camera_template.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/rikujolam.pdf
    • https://cdn.shopify.com/s/files/1/0431/8865/0142/files/dipuzuparo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007af6.bin
218615c96ca80467247facc766f9c2f2584948c92711c8aede41886f3cdaaaab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AF6 2984 bytes
font_01_sfnt_off000085a5.bin
912a8cbd8eaa2e80e38911837ac6b05d1d9a571fcb0a6fdbbfcedad082dc6aee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85A5 5568 bytes
font_02_sfnt_off0000987c.bin
5f6ef4c080d153622e5ae936471ebf5da6fe19f18e20b0d40766ced7cbd04fd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x987C 10928 bytes
font_03_sfnt_off0000bcee.bin
b2262f5e888b589ea317d9f474487b27028cebd073fc4280985b145c3962df5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBCEE 16832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.