Malicious PDF — malware analysis report

Static analysis result for SHA-256 a40a294f12daa4e7…

MALICIOUS

PDF

46.3 KB Created: 2020-09-02 21:56:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc37cbdd90e0465c183bc8bcaa2d7fdb SHA-1: fec095688ad26ed40c27de06f79aee04a50796a7 SHA-256: a40a294f12daa4e7c6bcbe1f7e8603c0d5399dedecb18533d19d225e13caaf37
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=sample+business+case+study+template'. This URL is presented within the document body, suggesting a social engineering lure to trick the user into clicking it. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to 'static.usrfiles.com'. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=sample+business+case+study+template
    • https://static.usrfiles.com/ugd/f1780b_c695958c75304ac4be344faa035decbe.pdf
    • https://static.usrfiles.com/ugd/b0b521_3011d720248d4a4281a63c8addf2f7eb.pdf
    • https://static.usrfiles.com/ugd/74a852_4987e759b7704a239ea03463630e0486.pdf
    • https://static.usrfiles.com/ugd/b8c837_12cdad824b15451aa7f3ac4998643da9.pdf
    • https://cdn.shopify.com/s/files/1/0432/2571/0750/files/kasugoxe.pdf
    • https://cdn.shopify.com/s/files/1/0427/6341/9815/files/givagujidijifex.pdf
    • https://cdn.shopify.com/s/files/1/0437/7647/5290/files/58351270882.pdf
    • https://cdn.shopify.com/s/files/1/0431/5794/6522/files/1219765751.pdf
    • https://static.usrfiles.com/ugd/b0cd75_ed2b8645632a489fb12385b94d83db3e.pdf
    • https://static.usrfiles.com/ugd/76156b_4d037a2c7cd14605b7683af8efbd4a74.pdf
    • https://static.usrfiles.com/ugd/299074_6f82665ee46d4317b31da9441b2435b6.pdf
    • https://static.usrfiles.com/ugd/6da380_24269e32d69649edb3954b856fbb1b3a.pdf
    • https://static.usrfiles.com/ugd/451461_44f741b487f9494393079f515d853bd1.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_ec8d8a79b2f943c9be66deadbd9ab929.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007808.bin
79e5674cd82b3f81fdf77e3d8af22003b8e5cf96e0eea9b7269942ea68f19683		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7808 5468 bytes
font_01_sfnt_off00008a8b.bin
a69ae216bde16949fba4bff729a5212d3f9e354657627a18d9fa619278fa11cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A8B 9936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.