Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa1c0df7e2126b67…

MALICIOUS

PDF

37.5 KB Created: 2020-09-03 17:58:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a273631e57ceeac646a63e0710f893ba SHA-1: 364e73ddf897ccbd130930fa0e993cd5623e40b5 SHA-256: aa1c0df7e2126b6788d17fb7fe9072ade8f521db3dad1ffe564907a5a070b81a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.cc/wix?keyword=template+plan+d%2527+action+ppt', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The presence of a large number of external PDF links further supports the attack pattern of a link farm designed to lead users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=template+plan+d%2527+action+ppt
    • https://static.usrfiles.com/ugd/1a89c8_5539ab1edae8477ebb4f2232f9d87946.pdf
    • https://static.usrfiles.com/ugd/4c1554_756f509e5de9463ea7ed53d3764ec9e6.pdf
    • https://static.usrfiles.com/ugd/027f51_20cb4198464b49c28ad9d6b3251a7526.pdf
    • https://static.usrfiles.com/ugd/5af86b_53dc43278f5d4f8b91333313f3dc9a2f.pdf
    • https://static.usrfiles.com/ugd/ca32a8_465f0ccab93a445ea0edfff01892db97.pdf
    • https://static.usrfiles.com/ugd/b8c837_6d1f8fe4a33d46089843b871d05a5bbf.pdf
    • https://static.usrfiles.com/ugd/b58d21_740e86c2f7f041b49ee208eeafcb078c.pdf
    • https://static.usrfiles.com/ugd/55f640_c05c95a1c11c41f8b39c3f8e312ce136.pdf
    • https://static.usrfiles.com/ugd/3de8a6_06b8ed43bfb342d5abfcce1aa6ec6f15.pdf
    • https://static.usrfiles.com/ugd/bca722_fefcae85d4fa4b9a8e2dca9c4fd38d32.pdf
    • https://static.usrfiles.com/ugd/e3325f_1ffbbf554df84553a10d9f1a9174016b.pdf
    • https://static.usrfiles.com/ugd/b7306e_5545a880ee994436a7d34246f186dfd7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005668.bin
0cedb2e63972b006fcff087480d904d25f0a6e08a11390ad98856a81dbde3b07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5668 4928 bytes
font_01_sfnt_off00006720.bin
671b9b4bd99c067a38b06ddfb0eb74dfa5aec561bb6506c3f4c3d9278a88e458		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6720 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.