Malicious PDF — malware analysis report

Static analysis result for SHA-256 998a727349f37b00…

MALICIOUS

PDF

39.4 KB Created: 2020-08-29 16:47:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c04a23a04f250a8e199dae4793b3afab SHA-1: fb2e26e9290c6d156c144e547706e34a60275002 SHA-256: 998a727349f37b00c6d36a790f43026fbb00e1dd8acf5860f961e0e6e8152b08
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=chevrolet+s10+service+manual'. This link is presented within the document body, disguised as a service manual, to entice users to click it. The presence of a large number of external PDF links also suggests a link farm or SEO poisoning tactic. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=chevrolet+s10+service+manual
    • https://static.usrfiles.com/ugd/b8c837_b8873021ca7949f9a9aab3c01abd3296.pdf
    • https://static.usrfiles.com/ugd/affaa6_cc329ec820a646b1832bd1917f006c18.pdf
    • https://static.usrfiles.com/ugd/b8c837_992a715decba46c8a8f23dc75744b9ec.pdf
    • https://static.usrfiles.com/ugd/b8c837_7e1b23471f6f4d3e8f2d2802ff2bfa3d.pdf
    • https://cdn.shopify.com/s/files/1/0430/0413/3525/files/brown_and_sharpe_cmm_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/4103/0293/files/xefedidu.pdf
    • https://static.usrfiles.com/ugd/5ecadc_5025631f89844113a3a96c7be13c369c.pdf
    • https://static.usrfiles.com/ugd/b8c837_d16976069f194bbc8d388cb05b025464.pdf
    • https://static.usrfiles.com/ugd/b8c837_ebaa5da43e824dd68ca5ff8a5f2a29fc.pdf
    • https://static.usrfiles.com/ugd/b8c837_515eaca7ad8d4dcc94d13af5426e78b9.pdf
    • https://static.usrfiles.com/ugd/b8c837_aafe7d4a9c8c49fa97a38022815f22f7.pdf
    • https://static.usrfiles.com/ugd/b8c837_fb3f081d440445e785ead5b9b7aed636.pdf
    • https://static.usrfiles.com/ugd/b8c837_bd83b711650c46d0ace2eb252c52e830.pdf
    • https://static.usrfiles.com/ugd/b8c837_79db1b3cedb34562867ac8531568f8aa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f39.bin
efc8eb001afa83dc40718582be386a6c9604d15d0aa014c511e656cfd49f0793		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F39 5196 bytes
font_01_sfnt_off000060c6.bin
acf20a06ae9973cdb40c2c5cd68f144f4f39465893163084335795f21fab5621		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60C6 9980 bytes
font_02_sfnt_off000082f6.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82F6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.