Malicious PDF — malware analysis report

Static analysis result for SHA-256 8864060579afae59…

MALICIOUS

PDF

51.4 KB Created: 2020-09-07 15:46:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01f73a9bad1ba3101d4a06a624e709ab SHA-1: c64d4ce726f5230dc3decbe3363a3e03c5e4bc1d SHA-256: 8864060579afae590da58f2b6d875c9d3ba09c52fa7d5e94d33ae88cfac4da08
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=horizontal+directional+drilling+guidelines'. This URL is presented within the document body, disguised as 'Horizontal directional drilling guidelines'. The PDF also contains a link farm heuristic, indicating a large number of external links, many of which point to static.usrfiles.com. The ML classifier strongly flagged this PDF as malicious. The primary attack pattern involves luring the user to a malicious site via the redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=horizontal+directional+drilling+guidelines
    • https://static.usrfiles.com/ugd/a8cc01_9986b3ef686e4c22b6fe045c8f7d9a24.pdf
    • https://static.usrfiles.com/ugd/d1d005_ade793eb72cc4e829c90b5b61dcbb7e3.pdf
    • https://static.usrfiles.com/ugd/a48928_db1cdf48a1734582ae0e1dd5ecab3618.pdf
    • https://static.usrfiles.com/ugd/99965f_c97fdbc850e84ef882d9aa6a8aee984e.pdf
    • https://static.usrfiles.com/ugd/a44510_ecaeb71710904273a300688801b2dd3a.pdf
    • https://static.usrfiles.com/ugd/b8c837_dcb736365cfd43b3b88edad5c6de1288.pdf
    • https://static.usrfiles.com/ugd/5ea4d5_463ee0d60cae4d0ebc975cf6bdf00e31.pdf
    • https://static.usrfiles.com/ugd/b8c837_50d717412911452c9e850a5bb5fc6dc9.pdf
    • https://static.usrfiles.com/ugd/b16523_ddf611017726424d88955668d93c377e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008c4e.bin
6f251d4a688bff52168071175f3efc8fe9ac65d3fe83c5cee20e3b40f6843b27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C4E 5120 bytes
font_01_sfnt_off00009dc8.bin
a0a2479ce099cb0643342ccd276e8ddd26518e350236a44bc12fba0ead0a4ae5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DC8 10124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.