Malicious PDF — malware analysis report

Static analysis result for SHA-256 3fde1bfda18f39a3…

MALICIOUS

PDF

162.2 KB Created: 2020-09-02 09:48:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03dd83d5eda10a7662c3a14d17d3ca6f SHA-1: 363c7f1eb73c281ee52190af7f90c18dd367b9a9 SHA-256: 3fde1bfda18f39a375a616f383f316f813dbc19044422b9d24f65533105b6ef3
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and contains a critical heuristic indicating a link to known malicious redirector infrastructure. The embedded URL, https://ttraff.cc/wix?keyword=left+right+arrow+icon, is the primary indicator of malicious intent, likely serving as a lure to a phishing or malware download page. No scripts were extracted, limiting further analysis of the payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9585

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=left+right+arrow+icon
    • https://static.usrfiles.com/ugd/756799_33c3886c932a4d38b5ac0bc62bf0b9fd.pdf
    • https://static.usrfiles.com/ugd/7c3584_e2f3d40ff55b4fb49ae140cd322510c5.pdf
    • https://static.usrfiles.com/ugd/eddc50_3b7281fc563d459093db480074fc3486.pdf
    • https://static.usrfiles.com/ugd/b8c837_0b29095131b647f2a26fc780a904d88b.pdf
    • https://static.usrfiles.com/ugd/0286dd_e5f2a132d67c443cbc77f91229a3713e.pdf
    • https://static.usrfiles.com/ugd/a4c1fa_43822aa92e5944c7aa1ffb1862f025aa.pdf
    • https://static.usrfiles.com/ugd/8b2c09_d2bf1df2f9094010a0e531a7e4d4e0d4.pdf
    • https://static.usrfiles.com/ugd/ba3095_7dd694157e0e412ca7cd6fcc8a3d3a38.pdf
    • https://static.usrfiles.com/ugd/de3d83_ce681626d7d44004a232563eec9a0205.pdf
    • https://static.usrfiles.com/ugd/a58b01_03a3ddfef2f341ba8f5457c0ce54f241.pdf
    • https://static.usrfiles.com/ugd/b8c837_67c5535f64cc4a94b305c7f231320b18.pdf
    • https://static.usrfiles.com/ugd/b8c837_12b032929c1c4d90a34db89513d70f04.pdf
    • https://static.usrfiles.com/ugd/857e61_89af4d5ae7964425a3a6407ba873d7e8.pdf
    • https://cdn.shopify.com/s/files/1/0430/6308/3162/files/fagobaniniveb.pdf
    • https://cdn.shopify.com/s/files/1/0435/4162/7029/files/tamimamobirogajajimiwimad.pdf
    • https://cdn.shopify.com/s/files/1/0437/1018/5623/files/ayyappa_swamy_dj_remix_songs.pdf
    • https://cdn.shopify.com/s/files/1/0429/5104/9370/files/61488392639.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_012_off00016cff.bin
61dc00aaf06cd02fc4bf62881f0f006db705a17dee2e65e07d7952aab7260b5c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16CFF 29388 bytes
font_00_sfnt_off0000df24.bin
cc72746d57d874770b8fa38cb59e853edc7b00cb6a78cf32f68f947a0b980118		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF24 10988 bytes
font_01_sfnt_off0000fcc7.bin
eff04d750179ad88b64e36109e62334535f604c27e3d0ef443d3a8d8a6093d77		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCC7 2348 bytes
font_02_sfnt_off00010652.bin
394094a4fc38b3c1f29804d5be9969bc886fcd1818d597e8a63cf05011c63840		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10652 3200 bytes
font_03_sfnt_off000111b5.bin
162c0a010de815b7113e95042773df5ff206858396d732a2cab15c40ed542f26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111B5 1644 bytes
font_04_sfnt_off000119d9.bin
4db5df71d1d8892698eeed7daef220d8100d0ef27d672397ea5be30e6d493eec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119D9 4752 bytes
font_05_sfnt_off00012a04.bin
386c175be12f6b57619bba2f20afc57ae1d51e171a1f1d06ba7e920904dd2d84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A04 19616 bytes
font_06_sfnt_off00015324.bin
6dd726c1add7b68bf2a72d0d454fe836d2ffd46bd6d0c7e2a19805b9cda8f1a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15324 6620 bytes
font_07_sfnt_off00016345.bin
6c7d182df3303fafb7b7de3072a18d8971ba8499de062a263266eb90ce62f625		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16345 2416 bytes
font_09_sfnt_off0001b715.bin
c080e846557e270a73678278cb4d91b34e339a0361b9b0c42efa49e0d1e28feb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B715 14428 bytes
font_10_sfnt_off0001e4e6.bin
07f2eaf6820e47afedce6b18890d066e357af9ebae2a18a9f24abc78f2eda092		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E4E6 61400 bytes
font_11_sfnt_off00026948.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26948 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.