Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3dcc6fd587de1c6…

MALICIOUS

PDF

55.6 KB Created: 2020-08-31 20:29:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b774e90069c4939ff38f8029fcaecdb4 SHA-1: 582f7ccfa5a719ac176c944fac70aa93a6396fe6 SHA-256: a3dcc6fd587de1c6ae904d66c29aff8d13b4c0a09e3ed2cae3ba1b3d7608ec2f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.cc'. This URL is used in conjunction with a link farm of 24 external PDF links, suggesting a coordinated effort to drive traffic to malicious sites. The document body, though heavily obfuscated, contains the same redirect URL, reinforcing its malicious intent. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=my+talking+tom+mod+apk+ios
    • https://static.usrfiles.com/ugd/b8c837_4f1e277bebc34e7587760691e32036de.pdf
    • https://static.usrfiles.com/ugd/b8c837_19e102540730479fa24403e4e216ae7d.pdf
    • https://static.usrfiles.com/ugd/7f46b5_2b17588bc29e4dc5a889a032f8abd305.pdf
    • https://static.usrfiles.com/ugd/b8c837_46e0c58e1bab46e691f51630ab7c73a6.pdf
    • https://static.usrfiles.com/ugd/2f8cea_eb0558fb633348c8a73424938c435c95.pdf
    • https://cdn.shopify.com/s/files/1/0431/2471/9773/files/patutolekawu.pdf
    • https://cdn.shopify.com/s/files/1/0462/6540/1495/files/zara_sa_jannat_mp3_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/1474/0375/files/27746542666.pdf
    • https://cdn.shopify.com/s/files/1/0430/4361/8965/files/cadaver_synod.pdf
    • https://cdn.shopify.com/s/files/1/0467/5813/3923/files/34012348756.pdf
    • https://static.usrfiles.com/ugd/b8c837_c2bea7a2424b4e5a95fd7814cc3b2ccd.pdf
    • https://static.usrfiles.com/ugd/07625c_3211bb78404346f1ab8718658de450d6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ddf.bin
9cca4c91229620b169076595819dce81d82ad400f620dbe9c3e5b1a6fdb89ddc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DDF 5352 bytes
font_01_sfnt_off0000801a.bin
81157d6e6a62d55e212cbb2bb636f58372e290eb2d5b9c33e83b362e3134df3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x801A 5532 bytes
font_02_sfnt_off000093da.bin
b6f11b443b20e8b53cf04d53881680d460d81aa91dc90331d21831d4529b3bc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93DA 10308 bytes
font_03_sfnt_off0000b74b.bin
d283067002d0fb639e30a028e23b4cf9203238db29d4eea22e04b248a8aaca7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB74B 17660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.