Malicious PDF — malware analysis report

Static analysis result for SHA-256 463ef0412a3a6ace…

MALICIOUS

PDF

47.3 KB Created: 2020-09-02 11:03:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cf7acbfe5691ec4cdfec7a99e02ae1d4 SHA-1: 53fb993324508061119dc94685cfd816e6ef6f98 SHA-256: 463ef0412a3a6ace987c6ae99fa9c15758f8f402f7903bd93bc42e388da468ff
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating a redirector link to a known malicious infrastructure. The embedded URL, 'https://ttraff.club/wix?keyword=%25D8%25AF%25D8%25A7%25D9%2586%25D9%2584%25D9%2588%25D8%25AF+uc+browser+mini+for+android', is likely intended to lure users into downloading malware. The document also contains a large number of other PDF links, suggesting a link farm or SEO poisoning attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=%25D8%25AF%25D8%25A7%25D9%2586%25D9%2584%25D9%2588%25D8%25AF+uc+browser+mini+for+android
    • https://static.usrfiles.com/ugd/3cb679_95a63d30f9c04ee4a19ced87b6148d75.pdf
    • https://static.usrfiles.com/ugd/b8c837_26b44f289cf9405e9b6eb01e7ceb64d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_9834e1e9e83c414aaf4f83f6f630fcc7.pdf
    • https://static.usrfiles.com/ugd/8b49c6_e3d197652cb040019b9396e464ac496b.pdf
    • https://static.usrfiles.com/ugd/b8c837_9a20c289d67942c2ac52d7b4af04f017.pdf
    • https://static.usrfiles.com/ugd/b8c837_be7fa280f0f7406d832ece9bff050d7e.pdf
    • https://static.usrfiles.com/ugd/23924c_446f42f0f09e4d70bd6d2e0872c277f9.pdf
    • https://static.usrfiles.com/ugd/f3cb45_46e6a1c909744438b4a717a136bdbaef.pdf
    • https://static.usrfiles.com/ugd/bca722_b0ba0c42e14f46c5a09ea72280714cbf.pdf
    • https://cdn.shopify.com/s/files/1/0430/0747/5875/files/33596024377.pdf
    • https://cdn.shopify.com/s/files/1/0438/8447/8632/files/darujodubu.pdf
    • https://cdn.shopify.com/s/files/1/0429/4246/4163/files/71594012839.pdf
    • https://cdn.shopify.com/s/files/1/0431/5280/1943/files/newesofexunazoz.pdf
    • https://cdn.shopify.com/s/files/1/0435/9254/8515/files/spines_fire_brute_build.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e17.bin
42f52fe0ec3d5de48494b11841c82d2b989edcbdf710d19e2db9ad5ce8b1f97e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E17 5272 bytes
font_01_sfnt_off00005ff9.bin
dcaaf07b420446dbdcec2d4df2c64f0df0d6293e520872a0733e07d600affc7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF9 9944 bytes
font_02_sfnt_off0000820b.bin
efa2e89c4cf8191efc31b2299568b077d15758911c952d3e1e78735181d1d807		 pdf-font-stream PDF embedded font (sfnt) at offset 0x820B 16496 bytes
font_03_sfnt_off000098b8.bin
9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98B8 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.