PDF malware analysis — malicious · 57a36b2e204b100e

MALICIOUS

PDF

79.7 KB Created: 2020-08-30 03:47:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: adcda477e338f05dff21418319078153 SHA-1: 33daef1604db31883abd70d5ce5f02f1df0368fc SHA-256: 57a36b2e204b100e169abc4b787afe0960cb76f69b3030b93fe4c802ac9eb5bb

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.cc/wix?keyword=csr+racing+2+tier+1+best+car'. This URL is likely used to redirect the user to a malicious site. The document also contains a large number of embedded links, many of which point to 'static.usrfiles.com', suggesting a link farm or SEO poisoning tactic to improve search engine ranking for malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=csr+racing+2+tier+1+best+car
- https://static.usrfiles.com/ugd/b8c837_9f0d3d6ca38d4041bed68ad744c9a8c9.pdf
- https://static.usrfiles.com/ugd/9ea9b6_ce3540ee7280473892f79ec212604345.pdf
- https://static.usrfiles.com/ugd/b8c837_3a0e5c92cab94dbdab4a6c36a4127354.pdf
- https://static.usrfiles.com/ugd/451461_b30c8efcf5b6435b81feba8561ef6395.pdf
- https://static.usrfiles.com/ugd/b8c837_eb2ac7023035439f9a1121a609963466.pdf
- https://cdn.shopify.com/s/files/1/0462/4872/2583/files/transformou_agua_em_vinho.pdf
- https://cdn.shopify.com/s/files/1/0431/9494/1603/files/idm_with_crack_filehippo.pdf
- https://cdn.shopify.com/s/files/1/0431/1813/3405/files/dawidobobu.pdf
- https://cdn.shopify.com/s/files/1/0434/4017/7317/files/vubidozamajetupumof.pdf
- https://static.usrfiles.com/ugd/b8c837_e92078842fa141ccbf09640afcee7c59.pdf
- https://static.usrfiles.com/ugd/82e28d_39903ae8bc9f48568f002b9ecf7313a3.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000bee8.bin` `429ca558a64d64b3ef131553afb006fe0e45114d8a1c6bda62949d0675f71c06`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBEE8	4960 bytes
`font_01_sfnt_off0000cfca.bin` `b3bc1710b1d460340379e5bc07e2ab3db12438d40ef5d5bedb2ee52d203651d3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCFCA	2292 bytes
`font_02_sfnt_off0000da1b.bin` `0d53e5a999b225881374a71fbe06d45b0cc4b0bf7005c6dfbe202437598fddfe`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDA1B	15904 bytes
`font_03_sfnt_off00010b90.bin` `06da373af68e7191dc5c758bb4af698bef04be16950b83d1384ad2eda814e122`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10B90	16764 bytes
`font_04_sfnt_off000122f5.bin` `1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x122F5	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.