Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b84fa9d4c22f7b8…

MALICIOUS

PDF

38.5 KB Created: 2020-09-01 14:56:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 992ce2e8d6ceb7fbf3902d4c456efe3a SHA-1: facdc9d184045b9a716152a90ce12bb21bc754ee SHA-256: 4b84fa9d4c22f7b8ca0f13a709466efbc62d92db8e58189f826cebe389b1eb14
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.link, which is disguised as a search result for 'hackerrank multiple choice questions and answers'. This heuristic, combined with the ML classifier flagging the PDF as malicious, strongly suggests a phishing or social engineering attack. The PDF also hosts a large number of external links, indicating a link farm designed to attract traffic or distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=hackerrank+multiple+choice+questions+and+answers
    • https://static.usrfiles.com/ugd/fd30ac_c4557cd031e04198b78b0232200f56a0.pdf
    • https://static.usrfiles.com/ugd/b8c837_b33179107214499daf91052a7bd513ee.pdf
    • https://static.usrfiles.com/ugd/90423f_9d0c0a57a021448d8be28d388c56ac33.pdf
    • https://static.usrfiles.com/ugd/7c3584_3a4b998c4d9e4fa09e60b9d963535504.pdf
    • https://static.usrfiles.com/ugd/1e32c2_7ebe840b2c2a4ef69212c673bf83e264.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f598550e17d4b59a95388f01a911b41.pdf
    • https://static.usrfiles.com/ugd/2f07a1_6480f67c81d249f79361da592183d9a0.pdf
    • https://static.usrfiles.com/ugd/b8c837_279b627fcb6d42928657072eec264d96.pdf
    • https://static.usrfiles.com/ugd/b8c837_b33e31e4e4664a85b2535a5df377ba04.pdf
    • https://static.usrfiles.com/ugd/26481d_5e5196fd30f244cc9f0a98b6d2e9fc45.pdf
    • https://static.usrfiles.com/ugd/b8c837_b089d3b1d70b428681402cc08f38a9eb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000587b.bin
c0a53c86cc60cdf807bb9755edbd375d9bde64acd8a6d67b310c5d071267ed58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x587B 5556 bytes
font_01_sfnt_off00006b3d.bin
b5ef9159eac68568a2562325266ee57c860d3e4bede2095968188530c3ca785e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B3D 10040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.