Malicious PDF — malware analysis report

Static analysis result for SHA-256 82cbba5a72ae015d…

MALICIOUS

PDF

39.9 KB Created: 2020-09-03 01:01:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0653f041f8e5a10028e22dc2b621b2e1 SHA-1: 1f0c7cba7015b3ad759e4afa81f288755700da41 SHA-256: 82cbba5a72ae015d6a7cdafa17fe7206547718f73de10815cc8d2010bfc8f18c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document was flagged by a machine learning classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body and embedded artifacts reveal a large number of external links, many pointing to static.usrfiles.com, which is identified as a link farm. The primary malicious URL identified is https://ttraff.link/wix?keyword=sheet+music+love+story+piano, which is likely used for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=sheet+music+love+story+piano
    • https://static.usrfiles.com/ugd/b8c837_7ae8175f7d8343578c7e89f811b1cad2.pdf
    • https://static.usrfiles.com/ugd/d017d5_410e7585ff724ed58968066b3f5aa46a.pdf
    • https://static.usrfiles.com/ugd/229b11_4593ceb8124247edaf9241746bff58e9.pdf
    • https://static.usrfiles.com/ugd/837d34_aa411a0f1ee249b4849dcc0927a0891a.pdf
    • https://static.usrfiles.com/ugd/4b874d_a19ae136d6004b6ea73a07d1615a3f94.pdf
    • https://static.usrfiles.com/ugd/8d57bd_e4c39a7f7de947498919ecc3cb52572f.pdf
    • https://cdn.shopify.com/s/files/1/0429/5871/7087/files/asterix_en_italia_gratis_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0434/9650/5496/files/2020_19_spelling_bee_word_list.pdf
    • https://cdn.shopify.com/s/files/1/0433/4272/5275/files/nosumapubom.pdf
    • https://cdn.shopify.com/s/files/1/0434/3041/2454/files/example_of_investigation_report_pnp.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052fa.bin
b3635a8694519cd27b9ccef3242b16e651ffaccf20a9aac3bb76ccb1dcd44923		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52FA 5440 bytes
font_01_sfnt_off0000655d.bin
1a1e9f32a2b331f8f57a62f5c5650b6883f6b9391c9be0ad3807201843a38cd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x655D 14772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.