Malicious PDF — malware analysis report

Static analysis result for SHA-256 38fff07e7c8f20b9…

MALICIOUS

PDF

57.1 KB Created: 2020-09-01 14:03:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 972a3ed548179e70cbe36acdff9c6891 SHA-1: 6ea59ce593e8b17f85d9e69b64e2871949773f57 SHA-256: 38fff07e7c8f20b9eda76bd3e9cc6428d57811e2dc9aeb67cab8821a6dc32f66
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=algorithmic+problem+solving+with+python+pdf'. This URL is likely used to deliver a malicious payload or redirect the user to a phishing site. The document body, though heavily obfuscated, contains this URL, suggesting it's the primary lure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=algorithmic+problem+solving+with+python+pdf
    • https://static.usrfiles.com/ugd/f103bb_11f5e884263a428fb1abb8a6f57f1bce.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_c8b17240ec9547718af2fe483434de8f.pdf
    • https://static.usrfiles.com/ugd/599026_afb67a5e1bb34605898fff7576491bff.pdf
    • https://static.usrfiles.com/ugd/50c35f_1b491aa46c5c49f39c44338d57ec113d.pdf
    • https://static.usrfiles.com/ugd/8de238_fb5b08ff03794ae8b459c41acd263576.pdf
    • https://static.usrfiles.com/ugd/b8c837_67ce1697bf0343b7a365e191d739408a.pdf
    • https://static.usrfiles.com/ugd/bae363_4c0dff2bd1b34a57b5429da1f253dfcd.pdf
    • https://static.usrfiles.com/ugd/09273f_155b3f79a65741c3856de17ae3b923c7.pdf
    • https://static.usrfiles.com/ugd/b8c837_4c38232bcb744ef8919d9fbf7e0ddbee.pdf
    • https://static.usrfiles.com/ugd/cc14e4_a5102526ce1c4562a2fc556985af5238.pdf
    • https://static.usrfiles.com/ugd/32777b_45bee0fec6a54250bba5c798033a839d.pdf
    • https://static.usrfiles.com/ugd/b8c837_195e3f0534ea465ca49fba8be2f43f65.pdf
    • https://static.usrfiles.com/ugd/868401_2bce483289a3417caa712d76fb614957.pdf
    • https://static.usrfiles.com/ugd/b8c837_64602f17253746b2894340bece0bc7dd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000093a6.bin
f4908f004b1dce8eee1dc02c0b61dd36a6ab1d5a36118f8b6f063b98642a260e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93A6 5744 bytes
font_01_sfnt_off0000a728.bin
b8b318108471ac572044b1ea73a2613b2523aa75f574b8900129b1ca4c3713c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA728 15336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.