Malicious PDF — malware analysis report

Static analysis result for SHA-256 317d20abba4c3c3e…

MALICIOUS

PDF

37.2 KB Created: 2020-09-18 09:15:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02b177fe7c89a23879e3c1ff89e899ec SHA-1: 8f4b75669a0ebc089b025e07a2aa172498c8b08b SHA-256: 317d20abba4c3c3e5fca1f4a4623c82aa2ae38096d1ab7a012fb99bdb5c7b5ad
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a link farm. The primary malicious URL, https://ttraff.com/wix?keyword=the+rie+manual+for+parents+and+professionals+pdf, is likely used to funnel victims to further malicious content. The document body, though heavily obfuscated, contains references to the same URL, reinforcing its role in the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=the+rie+manual+for+parents+and+professionals+pdf
    • https://99857514-aa09-4b45-9275-3b83f1a71203.filesusr.com/ugd/5f5755_aba2dbffa587441999afa4cefe06a451.pdf?index=true
    • https://c6cdfa87-a1fe-470d-9a05-4637eed5d7df.filesusr.com/ugd/c8d394_158f433cd99f46b4ace5b9c95a355142.pdf?index=true
    • https://5691d49d-15cc-4211-a45c-609e05cb41a9.filesusr.com/ugd/575fb0_6338807dc3174ddab1a2a97f209a24cd.pdf?index=true
    • https://51f99ddb-5aa1-4fcd-9a1f-d51698288386.filesusr.com/ugd/d61b30_1689ef4cad724944885b2b51e0ebd250.pdf?index=true
    • https://c204c261-34f8-4128-8fa4-05d9b7680103.filesusr.com/ugd/9c58c5_e212a1da169c420eb4292873d0b74597.pdf?index=true
    • https://457edc7d-f046-4c70-8413-2899c902b002.filesusr.com/ugd/e643da_bb684485ef18439289729c614e9099cb.pdf?index=true
    • https://7ee70f2c-0dea-4a82-8473-b962d4c32a19.filesusr.com/ugd/f91cf1_b974952999624e6a84d5f0d7cb3252de.pdf?index=true
    • https://5d2cf81b-b082-4767-9296-b08e6c45c999.filesusr.com/ugd/ff3115_96ffcf0a74e04a309027db5ef8d3063d.pdf?index=true
    • https://d43ba13f-d8ec-4c6d-98d1-4b742ab396f3.filesusr.com/ugd/7baf93_9b4066eee73b43319f6aa94fa39d44ad.pdf?index=true
    • https://5cb6f12e-7ec9-4a0e-b324-ff20952af186.filesusr.com/ugd/e54fc7_39890b354b6a4878b26957fdaa84329e.pdf?index=true
    • https://dbe970e2-027c-4753-af9d-eafbb5b02e3e.filesusr.com/ugd/54dfea_156b6b1892ec410d90d10f46a565ace8.pdf?index=true
    • https://1e8a73b2-c9ff-49dd-88bf-630d03e3b6f4.filesusr.com/ugd/3283b0_b2c0e3a59cd546bf92046b0b268f9f22.pdf?index=true
    • https://480a6507-2f1a-45b6-801d-0edcb83495bf.filesusr.com/ugd/943725_23971ffd5b1d4fd1aee6c46bf4682fc7.pdf?index=true
    • https://a785e780-2d35-46a7-8704-0a5d228e2703.filesusr.com/ugd/067ecb_add7ab937f4f4745b8f5d53891ee95c9.pdf?index=true
    • https://31d7c765-3296-4f03-9b93-7fc9e9d5f2a6.filesusr.com/ugd/b27199_889a1739bcf64edf96acc09b4627a57b.pdf?index=true
    • https://6d684e9f-6f3f-417c-8364-0162ada427c3.filesusr.com/ugd/8bc2a6_5305ad86fb1c462f886a07a04452b042.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051fd.bin
33fc8a100a6d238a7ce2b26461af0d31eb486e599065d5640d99d05c6d9fca87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51FD 5228 bytes
font_01_sfnt_off00006394.bin
4dd61db6e10322475c688e86da8744716ed8216fbb1bdfc8b1189ece6c4e9767		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6394 10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.