Malicious PDF — malware analysis report

Static analysis result for SHA-256 92da61b5f2da539f…

MALICIOUS

PDF

113.7 KB Created: 2020-09-01 11:30:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1bae84505237ecfe3e43683bd92c75f0 SHA-1: 4b4e61fab0da7b93abc847a199c143e5a1742f28 SHA-256: 92da61b5f2da539f740b60d59a6834086e5f594225bf381ce955bd1e271d35b9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=love+yourself+album+versions+answer'. Additionally, a PDF link farm heuristic indicates the document is designed to host numerous external links, with 'https://static.usrfiles.com/ugd/63022f_e23d148bb82244718513a094f68541af.pdf' being the first listed. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains references to the redirector URL and a benign-looking PDF URL, suggesting a lure to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=love+yourself+album+versions+answer
    • https://static.usrfiles.com/ugd/63022f_e23d148bb82244718513a094f68541af.pdf
    • https://static.usrfiles.com/ugd/b8c837_cf6d042501604a5ab710fa21e3333053.pdf
    • https://static.usrfiles.com/ugd/63d3ad_c16a3ce5761a45a4bc042a216a9495ce.pdf
    • https://static.usrfiles.com/ugd/b8c837_0fa239f3bdb440fdab8ffae0ecfc174e.pdf
    • https://static.usrfiles.com/ugd/a107db_2c5d4dbbf0ec4d88863a42608387e8ff.pdf
    • https://cdn.shopify.com/s/files/1/0433/9449/8709/files/59195949257.pdf
    • https://cdn.shopify.com/s/files/1/0435/3441/8075/files/besezarupi.pdf
    • https://static.usrfiles.com/ugd/b8c837_1e28315aecf8435088fb6d083d34827a.pdf
    • https://static.usrfiles.com/ugd/d43733_c6c7582a6a564cd7a5b2c257a9bfd91f.pdf
    • https://static.usrfiles.com/ugd/0d2908_f6482a7074144c52afbd8e5c1cbf9494.pdf
    • https://static.usrfiles.com/ugd/b11f6d_fc4f8d667f264ac388cd49bcade47684.pdf
    • https://static.usrfiles.com/ugd/4c76bf_42df0688f7454688a134d30ce294c654.pdf
    • https://static.usrfiles.com/ugd/430cb2_c021e579fbb44e54b833ae371da6a564.pdf
    • https://static.usrfiles.com/ugd/590778_2f5c300756f24bb28cf8097149247b3e.pdf
    • https://static.usrfiles.com/ugd/5de1df_d012b6184e38476e80c5f5fc9f38f455.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d524.bin
d3fb9c86976e3169c910c1edef54d515442e308ff37a3bf61d9be8e3675b3967		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD524 42048 bytes
font_01_sfnt_off0001525b.bin
b7fd1c39d00da17327cd9cf1aa1b691496cdefe2d0e6bbee36c7933a3ebc9973		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1525B 5248 bytes
font_02_sfnt_off0001643e.bin
67167afb1f932968e2c0825035e6995e3389551f7fe5aece716e2ed45dfbd3cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1643E 15984 bytes
font_03_sfnt_off0001955a.bin
0f3d7a057013ae66a6fefd89f0231138b9449f6210e6940fc2824b120340f9eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1955A 16880 bytes
font_04_sfnt_off0001adb3.bin
e2f50d5f4e3fc2e46405e9f934f61f85e6ad4dd4f1a71686478313b05a5ff7cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ADB3 1932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.