Malicious PDF — malware analysis report

Static analysis result for SHA-256 5563a30486ac8499…

MALICIOUS

PDF

55.1 KB Created: 2020-08-29 16:11:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a98b2a435f19aa1a6f57c3eb9cc98e60 SHA-1: 70b1f0704b0101a70ba5ce59844f7df049fc6f8a SHA-256: 5563a30486ac849957e9e918a7c2cec812e7164a5bdf10bd90402eb9a53fafa1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=minecraft+nude+texture+pack'. This URL is likely used to direct users to malicious content or further stages of an attack. The document also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to 'static.usrfiles.com'. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=minecraft+nude+texture+pack
    • https://static.usrfiles.com/ugd/b8c837_b461b6dd628a42a699721933b605193d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ae7f3d9bb53748aea81954be1bb67ec9.pdf
    • https://static.usrfiles.com/ugd/b8c837_c5c1c7f912464944b0ff6b432dc6a691.pdf
    • https://static.usrfiles.com/ugd/b8c837_442e979460214b15872380ed30b92c52.pdf
    • https://static.usrfiles.com/ugd/b8c837_980e1393dd6346279d5be4732cd1654f.pdf
    • https://static.usrfiles.com/ugd/9f6a24_bb705a203e0d485dbc6fe184ebacf435.pdf
    • https://static.usrfiles.com/ugd/b8c837_85aecc8df6674150ab51778ad6bada5f.pdf
    • https://static.usrfiles.com/ugd/bf650e_2eedd018e7714ff29a33103faa807cd9.pdf
    • https://static.usrfiles.com/ugd/89064d_0163f3ff862e4917aeb820d584a3da9d.pdf
    • https://static.usrfiles.com/ugd/b8c837_fde0e5f9ecf94f0f8fa19f126ef7d74a.pdf
    • https://static.usrfiles.com/ugd/b8c837_064131a5b1c94eb388e4fc0ecc63037f.pdf
    • https://static.usrfiles.com/ugd/b8c837_cf0d6220e13d49c58033b74ce4b832b3.pdf
    • https://static.usrfiles.com/ugd/0a0016_e4828c7fd61943619d3f9673cb653d86.pdf
    • https://static.usrfiles.com/ugd/b8c837_c20eb92b6cb9488897b5fdd42d1e0f5c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000998d.bin
11999188c2bd209e3612c57ab4326b706ad41583ffcf2994a37a69d3c071b610		 pdf-font-stream PDF embedded font (sfnt) at offset 0x998D 5076 bytes
font_01_sfnt_off0000aae7.bin
378f2f77d22cc31c6fdefec9d54f159ad2e3978bfd97b2cb5a243476a88d164c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAAE7 10944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.