Malicious PDF — malware analysis report

Static analysis result for SHA-256 a19d7641619d33fa…

MALICIOUS

PDF

59.7 KB Created: 2020-08-30 10:26:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2430d4c6c74f34f19c8d26fc3e7d8a6c SHA-1: e9c2637cd8e4e44c56d805905514592ac7447d29 SHA-256: a19d7641619d33fa589e767e0ac33e1c0c47880632f48c4496b0f997827c5fd0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file contains a link to a known malicious redirector, ttraff.cc, which is disguised as a link to 'modals of obligation and prohibition exercises pdf'. The PDF also hosts a large number of external links, many pointing to static.usrfiles.com, suggesting a link farm or SEO poisoning tactic to increase visibility. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack vector appears to be social engineering via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=modals+of+obligation+and+prohibition+exercises+pdf
    • https://static.usrfiles.com/ugd/b8c837_7c45a3521adb48139282e4aac115287d.pdf
    • https://static.usrfiles.com/ugd/451461_69fbbb21e90c4f6db7e801f45dfd2c80.pdf
    • https://static.usrfiles.com/ugd/c7a620_c0968f1013f64476a7d5c60fd7047cf6.pdf
    • https://static.usrfiles.com/ugd/b8c837_446b3853681d4ffa8a5fb538553834d4.pdf
    • https://static.usrfiles.com/ugd/e73fea_c6396da98793460a9f5fdf2ec7c68061.pdf
    • https://static.usrfiles.com/ugd/b8c837_a70d14e4017c4f3e9b472845f8e7e8a8.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a34f25398c34df9b1a99cc4e235aec6.pdf
    • https://static.usrfiles.com/ugd/b8c837_db43475c013b4a038cbe994afa5ee37f.pdf
    • https://static.usrfiles.com/ugd/e643da_65e2164d10324d6197c6defb25aa28e5.pdf
    • https://static.usrfiles.com/ugd/23e9be_1b03eb6d14e5488883d4c2ac5906721d.pdf
    • https://static.usrfiles.com/ugd/b8c837_d1ec45ada30d4d7ea515f1db91da13c5.pdf
    • https://static.usrfiles.com/ugd/b8c837_51a779df1f9348c3967d9a86dfea61fc.pdf
    • https://static.usrfiles.com/ugd/b8c837_a6e395da909d4f9487d23b56e0f9ceef.pdf
    • https://static.usrfiles.com/ugd/b8c837_45cc10e0495148158bd08491093cf7de.pdf
    • https://static.usrfiles.com/ugd/565485_10fee8fbf364414c9a730466a28b1bcd.pdf
    • https://static.usrfiles.com/ugd/b8c837_b7381071972346f296888b70f5ad0415.pdf
    • https://static.usrfiles.com/ugd/b8c837_d4596a7deb9a4e2b80d4de45785102e6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000c7f3.bin
8d9ce94171bfb89d127fccf40f878ce5a010faa8efe3001f3b1416b08c256449		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC7F3 17020 bytes
font_00_sfnt_off000087e9.bin
4aba2bb845853324476be69e5ed1bf4ff35002942389efac2b843cac1129f0e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87E9 2828 bytes
font_01_sfnt_off000091e4.bin
c87b064827bf9e7bb7eee25913427d9ced65fb39b317380f1a19078c52e96c16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91E4 5632 bytes
font_02_sfnt_off0000a50d.bin
45765389a869b0ce44529e6e030bffbbc1f1489bd159e6e9915d852f2280ff6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA50D 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.