PDF malware analysis — malicious · 8dd3a54bb969ecc0

MALICIOUS

PDF

41.7 KB Created: 2020-09-08 13:18:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: b1fb2b20de3a92244eca5ffd3f206eea SHA-1: c5f6d3cdf5095312663c00e2400b624f544af9d9 SHA-256: 8dd3a54bb969ecc0143261804bbdf0a888f74e424eb845800968cae023075ea1

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.me', which is used in conjunction with a lure for 'battlestar royale mod apk'. The document also contains a large number of embedded links, many pointing to 'static.usrfiles.com', suggesting a link farm or redirection strategy. The ML classifier strongly indicates maliciousness. The primary malicious IOC is the redirector URL.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.me/wix?keyword=battlestar+royale+mod+apk
- https://static.usrfiles.com/ugd/9c0842_9ab6c3bddbe043e18d10ef3146f91c45.pdf
- https://static.usrfiles.com/ugd/4542d9_4a32bb21b5cb46eb9f42fd7d8def87a2.pdf
- https://static.usrfiles.com/ugd/3e9e83_d73b07ad4bf54f1d849650f6ff7f370b.pdf
- https://static.usrfiles.com/ugd/a31856_7c180b8f51544c369d5b3897a1ae8b82.pdf
- https://static.usrfiles.com/ugd/c068f8_73c5c976493c406e99c3f06c33a2bede.pdf
- https://static.usrfiles.com/ugd/dcc11b_77db4313c1e344138817afdc34d47d52.pdf
- https://static.usrfiles.com/ugd/a9248e_b98a8572c25340dcb8fdffaba9b81bbc.pdf
- https://static.usrfiles.com/ugd/18574e_51580966e6f9443ca2386e3726175bfc.pdf
- https://static.usrfiles.com/ugd/0a593f_4af43eddc58741c6858016285713b007.pdf
- https://static.usrfiles.com/ugd/6fd45c_af96eece30b24d2b879e3031a470c5c1.pdf
- https://cdn.shopify.com/s/files/1/0428/9937/4236/files/94597341112.pdf
- https://cdn.shopify.com/s/files/1/0428/1594/6911/files/holy_bible_esv.pdf
- https://cdn.shopify.com/s/files/1/0437/0015/8629/files/important_current_affairs_of_september_2020.pdf
- https://cdn.shopify.com/s/files/1/0437/8741/9805/files/mike_tysons_punch_out_rom.pdf
- https://cdn.shopify.com/s/files/1/0463/0619/7669/files/japupozudomawosoxapif.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004faf.bin` `983ab0042bc555e9eb123bfc5424d1d3ca8032af3c2231ba86efd6534797c50b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4FAF	5320 bytes
`font_01_sfnt_off000061bd.bin` `78edc9e87dfe8b84c6cd1f0954d2e363df7825ec91550f8dcc960a53d725815b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x61BD	10232 bytes
`font_02_sfnt_off000084e2.bin` `9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x84E2	16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.