Malicious PDF — malware analysis report

Static analysis result for SHA-256 910607df0926d77c…

MALICIOUS

PDF

44.6 KB Created: 2020-08-31 17:37:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd2b74ee22130b91273d69f32893ad5b SHA-1: 2c267cf89057cfd65ef134e851760bc060dd8887 SHA-256: 910607df0926d77c234e3b23a347c773ab79f5f47332565e424b817ea58e8c2b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a high number of embedded links, many pointing to a redirector service, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM heuristics. The primary malicious URL, https://ttraff.club/wix?keyword=pc+building+simulator++full+free, is presented as a lure for free software. No scripts were extracted, but the structure suggests a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=pc+building+simulator++full+free
    • https://static.usrfiles.com/ugd/35e1ce_7f6d9e26f8c84198ad6f5d2e517bd475.pdf
    • https://static.usrfiles.com/ugd/7e0eb0_39a93f5254464174827ce0de59195c35.pdf
    • https://static.usrfiles.com/ugd/b8c837_be7fa280f0f7406d832ece9bff050d7e.pdf
    • https://static.usrfiles.com/ugd/24853a_33bccaa41555442b9c0eefbad1f5899c.pdf
    • https://static.usrfiles.com/ugd/b8c837_abd580bfb7c341bf91d6c5d42e205d88.pdf
    • https://static.usrfiles.com/ugd/b8c837_0dbb8c5f67c64c6e89d56df9f1fa27d9.pdf
    • https://static.usrfiles.com/ugd/72b0e7_f55ef78aafdc4e4cbb9cfcbbffd12f09.pdf
    • https://cdn.shopify.com/s/files/1/0452/2138/0247/files/borland_c_builder_6.pdf
    • https://cdn.shopify.com/s/files/1/0435/3844/8548/files/vibados.pdf
    • https://cdn.shopify.com/s/files/1/0431/5529/2321/files/27586425486.pdf
    • https://static.usrfiles.com/ugd/599026_ae8477e3d86e47b8b25b9dc6826d64a2.pdf
    • https://static.usrfiles.com/ugd/b972d5_f9d2670f1406496fa30b7a183f7a3856.pdf
    • https://static.usrfiles.com/ugd/b8c837_f6a65f12f7114bc6922d0230c2b5a872.pdf
    • https://static.usrfiles.com/ugd/cac9e4_7666148cb85e472d8963e09d38ce72bd.pdf
    • https://static.usrfiles.com/ugd/0c268c_b0bdeead7c21482a92f5b2c861556313.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006eae.bin
839a1d39d5600fd1fb336180a425c94d6032cb323af298dd77ea2eacf9bae150		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EAE 5484 bytes
font_01_sfnt_off00008136.bin
cad19ffd5eb7f745ea190e74ea1a2677e0fb748cf9b0b400d5c35d57a188b9b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8136 10828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.