Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b0cc419901ee4ca…

MALICIOUS

PDF

37.9 KB Created: 2020-08-31 14:20:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dfee575c3fbc32f598e188e9c7e01ea5 SHA-1: 1cfee37e5b7b6bfc4de5feeb81f248c223cd4e62 SHA-256: 8b0cc419901ee4ca27a2c7bab2237744384ddb66fc10aeb09c8d292acdb39f63
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is disguised with a keyword related to app development. This suggests a phishing or social engineering attempt to direct the user to malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the presence of a malicious redirector and the document body's content strongly suggest a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=android+app+making+online+free
    • https://static.usrfiles.com/ugd/0df15e_81ec43c8da4342f3973d237ec2a35be8.pdf
    • https://static.usrfiles.com/ugd/4c76bf_e6c2b9f507d14c308f3174515e1dadf3.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa1fb0994d5642f8a7a4401336d38efe.pdf
    • https://cdn.shopify.com/s/files/1/0437/1152/9114/files/goxoseripobenej.pdf
    • https://static.usrfiles.com/ugd/66c878_91f91285922b43d6ac8771924887ea0f.pdf
    • https://static.usrfiles.com/ugd/ade4e6_de6883c158be443fa32947e1a7cc89d6.pdf
    • https://static.usrfiles.com/ugd/b8c837_0775ccb3b10543b584732e3dc8571d0a.pdf
    • https://static.usrfiles.com/ugd/b8c837_195e3f0534ea465ca49fba8be2f43f65.pdf
    • https://cdn.shopify.com/s/files/1/0432/5621/7750/files/toms_river_book.pdf
    • https://cdn.shopify.com/s/files/1/0436/5382/4677/files/alarma_buster_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/5214/6587/files/mozubulotegu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000056b5.bin
fb9d031510e71f38d4d1732feb490cecd099aaacb2d817d4bc9151393cd455ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56B5 5236 bytes
font_01_sfnt_off0000687d.bin
3464385e09451f07ccc40718a36720d1d120043423c326c0ea396c6d94e0f454		 pdf-font-stream PDF embedded font (sfnt) at offset 0x687D 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.