Malicious PDF — malware analysis report

Static analysis result for SHA-256 3681b7f0bf43d3a4…

MALICIOUS

PDF

47.5 KB Created: 2020-09-02 14:38:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a023425fa97919fce1208aee94b18441 SHA-1: 7e08d16e8ee49bb4a1c266fdfb23db5a6cb049a6 SHA-256: 3681b7f0bf43d3a45beceec38114aaec5bae0c6ba34d0fd82a4c83c5592bc209
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged as malicious due to the presence of a link farm containing numerous external links. One of these links, https://ttraff.link/wix?keyword=android+tablayout+example+github, points to a known malicious redirector. The document body contains obfuscated text and references to the redirector URL and other PDF files hosted on static.usrfiles.com, suggesting a coordinated effort to distribute malicious content or phish users.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=android+tablayout+example+github
    • https://static.usrfiles.com/ugd/296484_2234974b1ce34dbe97990388cad6633f.pdf
    • https://static.usrfiles.com/ugd/c46c8a_6f6ed9a3dfbf48c2a5ab481bf0392fea.pdf
    • https://static.usrfiles.com/ugd/b8c837_c4c98390795049f68859e338efc7fd0d.pdf
    • https://static.usrfiles.com/ugd/0aab01_38b7be80b8ad4f15862275c5d634d3c7.pdf
    • https://static.usrfiles.com/ugd/0c4177_0f0f69d75bb34908961a134164cb9afd.pdf
    • https://static.usrfiles.com/ugd/10b11f_aa7019d7b6284cee94f09a4ef9a4da53.pdf
    • https://static.usrfiles.com/ugd/b8c837_0dd0570dae5c4c2e9554067085331ac9.pdf
    • https://static.usrfiles.com/ugd/3e87bf_7585ba544b474d7a939c2f6998093bd1.pdf
    • https://static.usrfiles.com/ugd/ae15ca_726a47d8646c402099c2435c47aa2b25.pdf
    • https://static.usrfiles.com/ugd/eb4c03_6a50e616b21d43c4b6bcfad52ca2f5c9.pdf
    • https://static.usrfiles.com/ugd/69695d_47cd1391aac24519aafc21a8ef654670.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006257.bin
b17d6c78dccef4cd0fa9d0e89c9b474cdcea3365213f0e2ea3b0c86645f95e8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6257 3268 bytes
font_01_sfnt_off00006e24.bin
d99c252f2e14c85609232128b462931a894583391c826daa3db10aa1897cc41d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E24 5492 bytes
font_02_sfnt_off000080b0.bin
efc83d654844205c80d24e7f1f702bfc2cfbab3873ff930fee34fea614a9aecd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80B0 14660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.