Malicious PDF — malware analysis report

Static analysis result for SHA-256 325eabc2d3ba19b8…

MALICIOUS

PDF

71.4 KB Created: 2020-09-01 02:39:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1dd2142f14b4c11e311374d3059f5f6a SHA-1: eb654d0ba3c48615e4a262721de9843635aae8d9 SHA-256: 325eabc2d3ba19b80521d794a963cb2ddb3b4379237b6d547db31140efcee186
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one pointing to a known malicious redirector (ttraff.com). The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains references to the malicious URL and numerous other PDF links, suggesting a link farm or SEO manipulation tactic. No scripts were extracted, but the PDF structure and URL analysis are sufficient to infer a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=radar+beamforming+basics
    • https://static.usrfiles.com/ugd/8de238_13da1e50d4f84521a107892d14af2785.pdf
    • https://static.usrfiles.com/ugd/865d50_0f9b051d8e8648c5a36921de72991275.pdf
    • https://static.usrfiles.com/ugd/b8c837_d424ac2844b1474390a801dd8b290f2a.pdf
    • https://static.usrfiles.com/ugd/b8c837_945b6f7220ff415db9fb288c663fedef.pdf
    • https://static.usrfiles.com/ugd/0c4177_31cbf25b0fab405ca2128b2abd050542.pdf
    • https://static.usrfiles.com/ugd/fd3290_7e305fc217584f7dac8051e7d8b4b07a.pdf
    • https://static.usrfiles.com/ugd/696b8a_76314488a68147fca2d90c315231503d.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_1a39e04cd696498bb48f0d14e19ddc7a.pdf
    • https://static.usrfiles.com/ugd/63d3ad_ff40dec291964a39a9d1ff02fd487512.pdf
    • https://static.usrfiles.com/ugd/b8c837_14528a42e0e348f6a6ba60112970bfb4.pdf
    • https://static.usrfiles.com/ugd/cd79e3_10f8941f56b04a499c3d243e5ff71d52.pdf
    • https://static.usrfiles.com/ugd/a91264_020097645db349c5bec54bb23af0e145.pdf
    • https://static.usrfiles.com/ugd/451461_cf812c65d4eb4db1960c096e9414f587.pdf
    • https://static.usrfiles.com/ugd/f7fbc8_a8b202ebf4304330ab01ca70a4854e70.pdf
    • https://static.usrfiles.com/ugd/9374a7_907bf7456e5d4b14a8d353088fd398a5.pdf
    • https://static.usrfiles.com/ugd/b8c837_28a425e369a54c39bbb2a8fcb70a94a6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009c74.bin
47545881093d22349e880aa418f3dfbb3d036cff1881907332ef7be843b1c4dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C74 8048 bytes
font_01_sfnt_off0000b7a4.bin
a3e6708faed276b76958a6ee80dd9fc1eeb27b077851159c51df591f54a4f401		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB7A4 5164 bytes
font_02_sfnt_off0000c91b.bin
a1f94263deac891f13a4c909e088f0dab53d6e517e650817b93308ef654645e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC91B 10532 bytes
font_03_sfnt_off0000ed6b.bin
c43c81af3addadc619f1b50b0eb79006c69e58cb90abf43f7a5fbd940e22698c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED6B 16060 bytes
font_04_sfnt_off000101ff.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101FF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.