Malicious PDF — malware analysis report

Static analysis result for SHA-256 3571fce2eceec04c…

MALICIOUS

PDF

55.7 KB Created: 2020-08-31 11:43:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1ccd92e2833a081fbf8a63882f69143 SHA-1: 2206d78d582f9b1ce0f7c4d04a185e30e26809e6 SHA-256: 3571fce2eceec04c33c6c96855e9a04961b894af96ec59c57f30cf6668117350
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised with a keyword related to 'God Eater Resurrection Clothes'. This suggests a phishing or social engineering attack aimed at directing users to malicious content. The PDF also functions as a link farm, with numerous embedded links pointing to external resources, many of which are hosted on static.usrfiles.com. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=god+eater+resurrection+clothes
    • https://static.usrfiles.com/ugd/c836c3_efbf9f4fe0a644fe95a23372258a70b9.pdf
    • https://static.usrfiles.com/ugd/b8c837_5582239335634f1e99800c337b8d7263.pdf
    • https://static.usrfiles.com/ugd/2813e2_e594c5e779dd4cc4a6606b5a6cb89d8c.pdf
    • https://static.usrfiles.com/ugd/3b47cb_525d19794ec94deca89cefc26f5665c2.pdf
    • https://cdn.shopify.com/s/files/1/0429/9672/7957/files/jajegavewoparogepudedus.pdf
    • https://cdn.shopify.com/s/files/1/0433/6028/8927/files/34432595844.pdf
    • https://static.usrfiles.com/ugd/b8c837_7ab2735ed65648c4a259943546cac86a.pdf
    • https://static.usrfiles.com/ugd/b8c837_089a8b38dd1e4c93b8bcb36319bd1e76.pdf
    • https://static.usrfiles.com/ugd/74e905_156466fbd2ff4a759ecbf011ba3342c1.pdf
    • https://static.usrfiles.com/ugd/b8c837_438e1362bc0744e18a14f7939ea4c637.pdf
    • https://static.usrfiles.com/ugd/9d869b_c5c5131c04304b4992da5847fd76c94d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006071.bin
bf5019c3771b6ae91357ac33ce58c7a4f1448e2dfc147cd9e8af9f4d212b2123		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6071 14812 bytes
font_01_sfnt_off00009068.bin
8c6014095e7516fa072c6ed1bcf53ac3d26ce4fc164e43ed3ea10c6c5f02c454		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9068 5056 bytes
font_02_sfnt_off0000a18d.bin
6b9bd8f3f7dff9b060825d855e4cca18ee30ea72c98c7c9c7d4928a2062b9f3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA18D 15612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.