Malicious PDF — malware analysis report

Static analysis result for SHA-256 a87273d5ad0842b7…

MALICIOUS

PDF

40.0 KB Created: 2020-09-03 00:42:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 062cb85cecd688f57834dc11fc5b01b8 SHA-1: 89c232f946716dc4153f7949a86ed1710d50f963 SHA-256: a87273d5ad0842b74fd46090fc0f4e4a0ce1c78dac31bd8e4dd355b642ce9edf
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as a 'Bexar county appraisal district protest form'. This suggests a phishing attempt to lure users to malicious content. The PDF also contains a large number of embedded links to static.usrfiles.com, likely part of a link farm to improve search engine ranking for malicious lures. No scripts were extracted, but the primary attack vector is the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bexar+county+appraisal+district+protest+form
    • https://static.usrfiles.com/ugd/c7a620_c165dec738ec43cf938d412bc22ee578.pdf
    • https://static.usrfiles.com/ugd/b8c837_ff09e15e8566437586da748741ea1a6a.pdf
    • https://static.usrfiles.com/ugd/b85eb0_d9fc57d593304ee582e09f11aacfdb90.pdf
    • https://static.usrfiles.com/ugd/c0a468_fa308105e4ed44f6ae4ce441a941976b.pdf
    • https://cdn.shopify.com/s/files/1/0434/1753/4629/files/pinaz.pdf
    • https://static.usrfiles.com/ugd/b8c837_855f1828950c49308e396aa98137963a.pdf
    • https://static.usrfiles.com/ugd/9b5f63_7b11f0dd733442028c66ff1072f17cd6.pdf
    • https://static.usrfiles.com/ugd/b8c837_15d987383e264efbaaf12855d5cf5ee2.pdf
    • https://static.usrfiles.com/ugd/353d00_c40d965f46e5400fac2527c9d75bb00e.pdf
    • https://static.usrfiles.com/ugd/0c4177_466edf8a25784df9ad249ffeaacc46f6.pdf
    • https://static.usrfiles.com/ugd/607883_4597d29f001247b2b4c43b316516ceb2.pdf
    • https://static.usrfiles.com/ugd/2d1648_0fbc0c007a2642308544e2401f7296ce.pdf
    • https://static.usrfiles.com/ugd/682d1c_cb6e79bdc2e942bca93dd2f5f3d86afd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d7d.bin
9488e0eb52a4593ada748635526a364eb082d6e31d80dc4d274a7cc9dd80c77a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D7D 5520 bytes
font_01_sfnt_off0000703f.bin
dd35e935fee83baf2f2e27dae93d5e979d0d55906a90a5c40433d43cca30ccc1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x703F 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.