Malicious PDF — malware analysis report

Static analysis result for SHA-256 a82ecc61d6edef2a…

MALICIOUS

PDF

48.8 KB Created: 2020-09-17 02:23:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cb8fe21e359af6c8a9d7ad52dc2391da SHA-1: 8c26c16571e10ac023119f3867d37f26e962f33e SHA-256: a82ecc61d6edef2a4049dfc4b21dda2ac598d45ad042f9d6045fff50b195b60b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links that redirect to a malicious URL, specifically 'https://ttraff.club/wix?keyword=uc+davis+college+confidential+transfer+2020'. The document body, though partially corrupted, also contains this URL and appears to be a lure related to college transfers. The presence of a large number of external PDF links suggests a link farm or SEO poisoning attempt to distribute malicious content. The ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=uc+davis+college+confidential+transfer+2020
    • https://41a5161e-4c07-4c74-9d76-db70864c9013.filesusr.com/ugd/5dc3ca_f3d4248198af43cbaadbfcd8dd18e29a.pdf?index=true
    • https://b0461569-82ec-4fd7-9518-2dcfd2e3bcc1.filesusr.com/ugd/370ea2_44ba3e0bb6cb4594ab629935439dc298.pdf?index=true
    • https://eb37cbcb-282c-43d5-87ce-efafc7547a6e.filesusr.com/ugd/3ed44c_24d51cbfb9234bf3a8ee35b80d1413be.pdf?index=true
    • https://5716f33b-9840-444b-bb83-be0653f12cce.filesusr.com/ugd/d13e1f_c062974eacae4848b987422fff8b6b1c.pdf?index=true
    • https://1f97bdad-c627-41b6-b7c5-9920b4e1ae6e.filesusr.com/ugd/5dc3ca_d1175afdb9ff4a17b273070b8bd65a09.pdf?index=true
    • https://8f9e7c4d-83e0-432c-9b7a-873180c1d149.filesusr.com/ugd/48bf55_b2890cb0bcb649f880247a8b44ae3d53.pdf?index=true
    • https://1d26e9d9-527a-45fb-849f-164e1bb0fbeb.filesusr.com/ugd/9df9d6_1d10edf7253b4aea81fc2b593176001c.pdf?index=true
    • https://9420505a-8b72-42b4-a3de-374d98427fad.filesusr.com/ugd/5aec95_5174a5b4eaaf4749a2aca4b9e531a687.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0466/9014/0324/files/69704138450.pdf
    • https://cdn.shopify.com/s/files/1/0463/6943/9899/files/tutafufevoloxamegin.pdf
    • https://cdn.shopify.com/s/files/1/0435/4850/8311/files/definition_of_primary_research.pdf
    • https://cdn.shopify.com/s/files/1/0429/6104/3605/files/safiled.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/fexofedome.pdf
    • https://cdn.shopify.com/s/files/1/0430/6331/2535/files/alleluia_light_from_light_music_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0439/4047/9131/files/cakewalk_vst_plugin_free.pdf
    • https://cdn.shopify.com/s/files/1/0459/8916/7266/files/personal_loan_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0433/7962/2040/files/angularjs_templateurl_webpack.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000730f.bin
a667dbe6cf68a274cc9e655d34d1f87c6abe2e81560c9be9040ab220c3df3ab8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x730F 5300 bytes
font_01_sfnt_off00008524.bin
db1c52007ed590bb27fe3077f0e5f2ee6fd5803c1a6375cc0e1edeed0e91ee33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8524 10036 bytes
font_02_sfnt_off0000a770.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA770 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.