Malicious PDF — malware analysis report

Static analysis result for SHA-256 87cc550a0a5d48bc…

MALICIOUS

PDF

40.1 KB Created: 2020-08-30 12:13:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 007c907d70bd7ef7936e8c0d57ee7baf SHA-1: d515e9297a0b302fc50a495b078487063589fdfe SHA-256: 87cc550a0a5d48bcfa25f4b8ec681c660bbf1cce209c276cb29eb9a34ad3a6a5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of the primary links, https://ttraff.ru/wix?keyword=verbals+quiz+with+answers, is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to the quiz lure and the malicious URL, suggesting an attempt to trick users into clicking the link. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=verbals+quiz+with+answers
    • https://static.usrfiles.com/ugd/b8c837_9fa12ee0e809401e862ed42c121de7a8.pdf
    • https://static.usrfiles.com/ugd/895bef_878ddcbb921d40a89571a9171d6036a8.pdf
    • https://static.usrfiles.com/ugd/8b9728_120de7a3bfb74f1a86676803722430d7.pdf
    • https://static.usrfiles.com/ugd/b8c837_2977d4f4b08f41228e7cb93640987667.pdf
    • https://static.usrfiles.com/ugd/857e61_e37091cd8dce4b55b04f07ed411c5505.pdf
    • https://static.usrfiles.com/ugd/b8c837_4fe9ca3e4ebf4cb6be6b9aff8f9824a2.pdf
    • https://static.usrfiles.com/ugd/ed64d2_3e31e901790d4a5aaa1cb9bd8c2c4700.pdf
    • https://static.usrfiles.com/ugd/43d598_8f86942a83b24042819cb08d4909eda7.pdf
    • https://static.usrfiles.com/ugd/b8c837_bb3e30a7953644719d33b12a18250711.pdf
    • https://static.usrfiles.com/ugd/87fdc7_672ff620c7ac427abb6d098134e119c8.pdf
    • https://static.usrfiles.com/ugd/784815_c95e793200b34c719125bb3b8000871d.pdf
    • https://static.usrfiles.com/ugd/6240f8_d396b278fac84bc5943246529059a56c.pdf
    • https://cdn.shopify.com/s/files/1/0431/2940/5600/files/lisexuvinuragosuzevux.pdf
    • https://cdn.shopify.com/s/files/1/0431/5529/2322/files/47860244735.pdf
    • https://cdn.shopify.com/s/files/1/0428/7250/4483/files/83712478596.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ee9.bin
b03344b17ad46f91854b29b5a58290dfe5795c0322ca7a8a9e03edc7f6c7cd1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE9 5144 bytes
font_01_sfnt_off00007079.bin
71c500eb1ee64c414c47a009c86720641160c5b525c9546f8b8cd27dadf6567f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7079 10564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.