Malicious PDF — malware analysis report

Static analysis result for SHA-256 89498e2f1cf79584…

MALICIOUS

PDF

134.6 KB Created: 2020-09-09 17:03:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a906fd4cf6c015d2334263c91d6387ae SHA-1: 0c888ed12819eb538e7d066307959d5ab29ad5e6 SHA-256: 89498e2f1cf795841cb7d8f9ea75194f82d984587e8d9a9d589d859a2835bec4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a redirector service (ttraff.me) which is flagged as malicious. The document body, though heavily obfuscated, contains the same URL and a keyword suggesting a lure. The presence of a large number of external PDF links, many hosted on static.usrfiles.com, indicates a link farm designed to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=balupu+telugu+hd+video+songs+free
    • http://files.martijoyoga.com/uploads/1/3/2/3/132303382/86466b8fc.pdf
    • http://files.myrawilliamsottewell.com/uploads/1/3/2/3/132303410/fekepobixi.pdf
    • http://kigomubud.heal-md.com/uploads/1/3/0/9/130969937/kixevudugedima-tidesevozugoju-batirixoxilaf.pdf
    • https://static.usrfiles.com/ugd/b914b5_74ebe0bcfa4146bba25650bc6b618885.pdf
    • https://static.usrfiles.com/ugd/374ce0_6a8c532a80394fada7048619e78c766d.pdf
    • https://static.usrfiles.com/ugd/121e37_26fdeee0353b437bb7dad7ed3fa440ef.pdf
    • https://static.usrfiles.com/ugd/9b7d8a_2528ff1cc30c425d90a54e1480ee01e4.pdf
    • https://static.usrfiles.com/ugd/b8c837_00eae8365d8344c89a035ff6106dbf7a.pdf
    • https://cdn.shopify.com/s/files/1/0435/6328/6691/files/tezanemagogejaxojukorawum.pdf
    • https://cdn.shopify.com/s/files/1/0434/5449/6935/files/lizutosemisuromarujufiv.pdf
    • https://cdn.shopify.com/s/files/1/0435/7731/1395/files/application_of_buffer_solution_in_pharmacy.pdf
    • https://static.usrfiles.com/ugd/64bd79_b1d7ec7aacbe44df89248857af313473.pdf
    • https://static.usrfiles.com/ugd/f8de3e_8072bf11f55f4fb7938f934fae3fc04d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001d43c.bin
94bfdf93dc9d51f1db8a14be28dd34bf4229b93ee1c3bdfa402e7a90ebf917d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D43C 5412 bytes
font_01_sfnt_off0001e6ae.bin
48d882e6df5c0b7e7dcca4cfaa6c1ff1d851fbea371af93d400370ff1dcdd3b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E6AE 11148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.