Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e0f6b7dedcd386f…

MALICIOUS

PDF

46.4 KB Created: 2020-08-30 04:22:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f045fa120f4bb7672a85e8b4318ca8cf SHA-1: 438efbcc1f59657c57da1797e86184d9e85fadf9 SHA-256: 8e0f6b7dedcd386ff4d666225fb5621dd906072af0fd7c57cf538704fa84a19b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing indicating it points to known malicious redirector infrastructure. The primary malicious URL identified is https://ttraff.club/wix?keyword=gregory+toussaint+net+worth. The document body, though heavily obfuscated, also contains this URL and other links to static.usrfiles.com, suggesting a link farm designed to obscure the ultimate destination. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=gregory+toussaint+net+worth
    • https://static.usrfiles.com/ugd/b8c837_6ea50097fd1344778fc09c232cb3b066.pdf
    • https://static.usrfiles.com/ugd/c83fdb_2f13d5e4955c4116b6cfde78f6aa4897.pdf
    • https://static.usrfiles.com/ugd/429b25_550c8f0b7981422883286198e812d5b7.pdf
    • https://static.usrfiles.com/ugd/3bf302_2ff62ee5fa364ec4abf733dec97f8c0b.pdf
    • https://static.usrfiles.com/ugd/289c5e_c17ed44226364d0fa1e32094f196e1c0.pdf
    • https://static.usrfiles.com/ugd/b8c837_e17f5444ee2445dbbd3d9962f5a52bed.pdf
    • https://static.usrfiles.com/ugd/b8c837_39819be299b749e4a93c58badf226a85.pdf
    • https://static.usrfiles.com/ugd/136d07_697cf01b75c84d828d0d9b71b2a28312.pdf
    • https://static.usrfiles.com/ugd/d2751c_32eeb3d97c714da38840de7e528913f9.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_b5c722bd52084678a740b12a6bf24216.pdf
    • https://static.usrfiles.com/ugd/b8c837_da5cbadefd1b449c8b1031826a4d9e80.pdf
    • https://static.usrfiles.com/ugd/1cfe37_c5c8dca24125465f9383f07ebd54aea4.pdf
    • https://static.usrfiles.com/ugd/f63f29_ddddef9928c647f48e025a083288ca29.pdf
    • https://static.usrfiles.com/ugd/724bd4_92e5a3fca0df49e6be9e46c59b4debb3.pdf
    • https://static.usrfiles.com/ugd/b8c837_79e5621b3b93465c933d78aa27bd31cc.pdf
    • https://static.usrfiles.com/ugd/b8c837_c4ad8f2148d84b52aa9d9178b43073df.pdf
    • https://static.usrfiles.com/ugd/0e2875_12eb34efda7d46f38b6fa33a3aa69760.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066b1.bin
0eae382f44c64c8b0c125dd599fe44444ceb404a9f721a2aa360766c4aa09d4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66B1 5140 bytes
font_01_sfnt_off00007841.bin
1f32d8e3da190ebc80818e3ddf3fdb330c62502198007c80d8e6a89b1d1ef088		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7841 1584 bytes
font_02_sfnt_off00008048.bin
9793ff7e321bf15058ff0a7db64865ce9f3c9cb512c69cc9f0027e398e87520e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8048 10748 bytes
font_03_sfnt_off0000a4b8.bin
5095ccdfdd328c3f25b1766e9c65bca58fa839170fcb9f3db3c20e130d955aff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4B8 1736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.