Malicious PDF — malware analysis report

Static analysis result for SHA-256 983ea2caa203273f…

MALICIOUS

PDF

47.0 KB Created: 2020-08-31 15:31:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b9550c2b0cc9cf9b9f34bfd1c600c080 SHA-1: 3b176908922b7282c007a1a27ca17b93564fb891 SHA-256: 983ea2caa203273f7dd70372688cf4034ceb08181fb6c2cf4059215e6cc4b167
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to a link farm hosted on static.usrfiles.com, and one critical link to a known malicious redirector at ttraff.com. The document body, though heavily obfuscated, contains text related to 'Tor browser' and the malicious URL, suggesting a lure to a phishing or malware distribution site. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=tor+browser+untuk+pc
    • https://static.usrfiles.com/ugd/2f3ac6_912d6257333c41e29f4d0577317d636a.pdf
    • https://static.usrfiles.com/ugd/b8c837_20ef6ccba5964ecfb694e2da3c44c52b.pdf
    • https://static.usrfiles.com/ugd/c6ac46_ae0a8e51e8fa4b0f927607bfc6a344a9.pdf
    • https://static.usrfiles.com/ugd/eda9ba_527c8f8b9bb448c888d731c67eef97b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_e9f61959076245ed9fa00c96a6d56967.pdf
    • https://static.usrfiles.com/ugd/b8c837_88e5ae1a84cb4ed89e333e06beae123e.pdf
    • https://static.usrfiles.com/ugd/d2751c_e3e45516ab66410e8571400b61ff9920.pdf
    • https://static.usrfiles.com/ugd/6350c7_9fe4aad6f52a451cad81e053fff43da8.pdf
    • https://static.usrfiles.com/ugd/d78803_a288fe1dd1084435b788d6b6a0dd524b.pdf
    • https://static.usrfiles.com/ugd/b8c837_605c73bb4fdf4a62acfc805c535965d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_15b571ccc55447868505cbab9e834b35.pdf
    • https://static.usrfiles.com/ugd/2e79a6_abebc33cafa44fda96fb5a1e9d7fecde.pdf
    • https://static.usrfiles.com/ugd/33a16d_62939b190fc34f2c9ce21aaf2acf358c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e65.bin
71ef31451f40756e47f88744daa0d5a57aac9b96c30470598c7e4b5a0fe63e78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E65 4764 bytes
font_01_sfnt_off00007eb9.bin
ea94fa4443a07b5c0a11228e371ef6201cfbcf47945652b5491b63b407d6faab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EB9 10064 bytes
font_02_sfnt_off0000a13f.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA13F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.