Malicious PDF — malware analysis report

Static analysis result for SHA-256 97fcecf86f9d964f…

MALICIOUS

PDF

68.7 KB Created: 2020-08-29 23:08:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 39e6c720552d22f22527be10e0175624 SHA-1: 7b4598a5f99da033c752f4539336abb8b6114dd4 SHA-256: 97fcecf86f9d964f15cab9861576d6e32fe1c7bff72753c76d33702688aa1042
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=xxx+video+pnjabi+18+vrsaca'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many pointing to 'static.usrfiles.com'. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same redirector URL and appears to be a lure for adult content, likely a pretext for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=xxx+video+pnjabi+18+vrsaca
    • https://static.usrfiles.com/ugd/b8c837_29a7fe3bc7af4bcd967d8bfe3dc4be32.pdf
    • https://static.usrfiles.com/ugd/b8c837_e2d2d1ebdadc40988c370930e0a12958.pdf
    • https://static.usrfiles.com/ugd/b8c837_bdd1c61c72af4b8b9397ec9026c61704.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa60f998f3ca46a0a3a5118adb8edc6e.pdf
    • https://static.usrfiles.com/ugd/2c8d66_0e372d5efc604c2ba940d974d0a396b4.pdf
    • https://static.usrfiles.com/ugd/b8c837_89ba8acef18a416eab540a220f16fe61.pdf
    • https://static.usrfiles.com/ugd/b8c837_6102768d76804396873798d0d77a7a9f.pdf
    • https://static.usrfiles.com/ugd/b8c837_b07cb329512d4054949d76341b293a75.pdf
    • https://static.usrfiles.com/ugd/b8c837_e7dec993685842a59996048e02d31b77.pdf
    • https://static.usrfiles.com/ugd/0049ca_247b08002e3a455c84537765fa116c0a.pdf
    • https://static.usrfiles.com/ugd/934fc3_89076706df21469bba366ca61bb03986.pdf
    • https://static.usrfiles.com/ugd/a6e5e9_bd4bc95cf9a84b7c9e58d56fbf2ea4fe.pdf
    • https://static.usrfiles.com/ugd/b8c837_9236d82bb33a4faeb3b015bf5656cb6c.pdf
    • https://static.usrfiles.com/ugd/3b7182_495cd09a3ca4420694c557dc26b83136.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068ac.bin
2cc534cd89b000e6228a2f2e8756cdaf587df437ab7ce458b7dcffe8f0b4917c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68AC 3776 bytes
font_01_sfnt_off0000763a.bin
d7d336998be866e7c80fb6c0e44d0d0e0e49f973317eed1680f623d1717635ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x763A 5604 bytes
font_02_sfnt_off0000894f.bin
fa8c11f72cde75943c37e0aee73cbacf520abff1186e5a59f98fdfe34235980a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x894F 6572 bytes
font_03_sfnt_off00009da3.bin
0b8363bc9e07cf89205331d27bc1c31e4fc91592bb846ce71245372e642e4983		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DA3 6148 bytes
font_04_sfnt_off0000ad83.bin
64a70414abd10f6ff3f341c5095a29b00111670ae946b346ba98eb113caacf62		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD83 11264 bytes
font_05_sfnt_off0000d3c0.bin
d2dbedc23249eed12779007d0c58b566766b7d8fb5b0bb1d603b2aa598fde09e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3C0 16684 bytes
font_06_sfnt_off0000eb1a.bin
9d7e7591c12e1f41efa5cc0e4aedfd38b6a08e1a105f6078ac48e429ee38013c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB1A 7436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.