Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e4223f9067a92d8…

MALICIOUS

PDF

40.3 KB Created: 2020-08-30 12:09:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac7250f61cf046f53c432c0a2e62233b SHA-1: e986df92d677a835e23e55170d6bc58e429c8942 SHA-256: 4e4223f9067a92d8087ca43b7b4be9c5eece70e6cb1a5adb7110acb943d9075e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised with keywords related to Italian food. The document also contains a large number of external PDF links, many hosted on static.usrfiles.com, suggesting a link farm or redirection strategy. The ML classifier strongly indicates maliciousness. No scripts were extracted, but the primary malicious activity appears to be redirecting the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=entradas+de+comida+italiana
    • https://static.usrfiles.com/ugd/b8c837_03c0f31937d141bfbe664aea726c2791.pdf
    • https://static.usrfiles.com/ugd/384ea4_f9134df88aea49fb99773c9d655fe221.pdf
    • https://static.usrfiles.com/ugd/b8c837_782af9f86f0f42eb96f5965a607cb2f8.pdf
    • https://static.usrfiles.com/ugd/b8c837_43597533810547daa7ba4c2ad732d0a5.pdf
    • https://static.usrfiles.com/ugd/c068f8_34171320f0554e98a439c20a26b3df3d.pdf
    • https://static.usrfiles.com/ugd/04e6f9_ca018fa6bb4846889d5151f00348ae48.pdf
    • https://static.usrfiles.com/ugd/0c4177_2707a6cf7ae7484c9d1163d7087a4700.pdf
    • https://static.usrfiles.com/ugd/345929_03b934647dd04b438adbea1115e0f496.pdf
    • https://static.usrfiles.com/ugd/fd3290_3d858d1f65834f398d8eafc45fae0c62.pdf
    • https://static.usrfiles.com/ugd/430cb2_329868ac7ca7489eb4f2b74833d2d5e0.pdf
    • https://static.usrfiles.com/ugd/3e9e83_0f0c56a37c8a4f1296e6a6a961c60641.pdf
    • https://static.usrfiles.com/ugd/e32576_d7f12125fe74485a9abfcb7bcb476ccc.pdf
    • https://static.usrfiles.com/ugd/0049ca_1e7049aa85f04f0fbf1803677abf17dc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f8c.bin
5d0bfe2fe3663534306bf019327f8c3b161da350c54741e4970bf9d4c87ad331		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F8C 5040 bytes
font_01_sfnt_off00007092.bin
acebc991aff00e681cef5d5898a8a34a66cefd73d62d631b993748a5b0bcb0c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7092 11076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.