Malicious PDF — malware analysis report

Static analysis result for SHA-256 376bfa8f4a9a0d47…

MALICIOUS

PDF

34.6 KB Created: 2020-08-30 13:02:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bef607cda1c2356aa08b3f03acf32c73 SHA-1: 3717b03dcb3cfedfdcfc624f5910973d3c58a49f SHA-256: 376bfa8f4a9a0d47c8af498ec0b1d156576947a62e7b6d5fd453e706746c3d2b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=100+tuesday+tips+griz+and+norm+amazon'. The document body, though heavily obfuscated, also contains this URL and appears to be a lure. The presence of a large number of external PDF links, many hosted on static.usrfiles.com, suggests a link farm or SEO poisoning attempt to distribute malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=100+tuesday+tips+griz+and+norm+amazon
    • https://static.usrfiles.com/ugd/b8c837_ab89e308f1e74511b47174b0abef6d3a.pdf
    • https://static.usrfiles.com/ugd/b8c837_d411eca74660407d873d09231a012fef.pdf
    • https://static.usrfiles.com/ugd/b8c837_27a0d77b368d467cbf1d346bdddbaac8.pdf
    • https://cdn.shopify.com/s/files/1/0432/9511/3374/files/bawedibomujosifixaz.pdf
    • https://cdn.shopify.com/s/files/1/0428/5746/3964/files/90636724988.pdf
    • https://cdn.shopify.com/s/files/1/0439/8442/1022/files/69814494769.pdf
    • https://cdn.shopify.com/s/files/1/0431/1141/5962/files/10021944250.pdf
    • https://cdn.shopify.com/s/files/1/0436/1024/3229/files/42246068079.pdf
    • https://static.usrfiles.com/ugd/e02969_2faf8ad93bfa4039b6560b73bddc3b8b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ce93d7e56684d80976aec5ef8e902b1.pdf
    • https://static.usrfiles.com/ugd/eb4c03_712a8de2fc5042c4b9da30242dc119cf.pdf
    • https://static.usrfiles.com/ugd/b8c837_8a9d058f15784e0e959883538ad64371.pdf
    • https://static.usrfiles.com/ugd/2b25b5_b7d3c52500f247b7b7075b77161b8b60.pdf
    • https://static.usrfiles.com/ugd/4dd980_a244bb7435c0425195795f481133d47d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048c3.bin
987cba7c550326ab1a7da7f70fb8c7c7024244891c31ea2663249e28a9868738		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48C3 5500 bytes
font_01_sfnt_off00005b6c.bin
d72de389d74129a1e2a039da05b84a5009eb37704e0d83b148c2292b41655bbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B6C 10124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.