Malicious PDF — malware analysis report

Static analysis result for SHA-256 785ef3be36714de2…

MALICIOUS

PDF

39.3 KB Created: 2020-09-01 20:16:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad87d521d43383a6d26cfd3a8124d2f9 SHA-1: 59ffa701d95a6884fcdb3ceeedf291495f4c9029 SHA-256: 785ef3be36714de2ad32219de1508ad1bf9aecfe10754cfca0ef46ec5e6262a2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file was flagged as malicious by an ML classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.link/wix?keyword=potluck+sign+up+sheet+facebook', which is the primary indicator of malicious intent. The file also exhibits characteristics of a PDF link farm, embedding numerous external links, likely to obscure the malicious redirector. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=potluck+sign+up+sheet+facebook
    • https://static.usrfiles.com/ugd/7598fa_9f640eebba1d4b0baef768d89860ae79.pdf
    • https://static.usrfiles.com/ugd/0d002d_3a6d64a3cdbb4e5d98ef06b6a1f2405e.pdf
    • https://static.usrfiles.com/ugd/b8c837_071dbba00ab84b9e86744c2f01ade6c0.pdf
    • https://cdn.shopify.com/s/files/1/0435/3438/5303/files/cerere_inmatriculare_auto_2020_brasov.pdf
    • https://cdn.shopify.com/s/files/1/0434/8346/3832/files/bodexapaxazaxu.pdf
    • https://cdn.shopify.com/s/files/1/0432/9088/6299/files/84339796602.pdf
    • https://cdn.shopify.com/s/files/1/0439/6479/2990/files/candy_selfie_camera_app.pdf
    • https://cdn.shopify.com/s/files/1/0432/1342/2753/files/o_level_maths_transformation_notes.pdf
    • https://static.usrfiles.com/ugd/1be480_bbfcdeb1758f491da92140019cd37aed.pdf
    • https://static.usrfiles.com/ugd/111c46_f26b0bc2f7954daca1d71ca9e5033aee.pdf
    • https://static.usrfiles.com/ugd/34e21e_b7e3f01aa9624489843d099092dedc51.pdf
    • https://static.usrfiles.com/ugd/b8c837_bc5f17f1c9a64ac3bf44c0439541038a.pdf
    • https://static.usrfiles.com/ugd/aec2ea_ef6132c7d523475796f94d3ff9a79ee6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051e1.bin
3d07e1311a1eea3998829b07c01dfe8f0a52520dfefb515ce5c22732e476dd8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51E1 5388 bytes
font_01_sfnt_off00006437.bin
e8def34ef7fa1cd1e737aa53281a1ad4be732a20e453453846aa670fb207f4af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6437 2044 bytes
font_02_sfnt_off00006da4.bin
37b8a7c48195ae4ea787867dc494f588f14daa6cb68157f166f9d95c679ee9f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DA4 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.