Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0a58853a36f956d…

MALICIOUS

PDF

48.9 KB Created: 2020-09-08 23:46:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03c0341a7d251d266db6b0a05c40b00e SHA-1: 72d6c1e8f1ecc6acf78a6e2d43c8b55cd96a6d75 SHA-256: b0a58853a36f956d9cf8bd99117f67b0f5f48a5dc71ad78a59eef39c9113ef0d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, which is likely used to obscure the final destination of the malicious payload. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The presence of a PDF link farm heuristic further indicates a malicious intent to distribute links, likely for phishing or malware distribution. No scripts were extracted, but the PDF structure and embedded links are sufficient to infer a malicious redirector attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=beyonce+coachella+performance+hd
    • https://static.usrfiles.com/ugd/0baf77_a9e16931e214496cbd1094ae44c8e9e3.pdf
    • https://static.usrfiles.com/ugd/cd81e9_542b8cca1f294882b8a146183f9e08ae.pdf
    • https://static.usrfiles.com/ugd/cbe7f7_92c1c7650ba3488a9de93283b546ab12.pdf
    • https://static.usrfiles.com/ugd/b8c837_301c36b947394c2687d7119b95287eb0.pdf
    • https://cdn.shopify.com/s/files/1/0440/6027/8936/files/75736221488.pdf
    • https://static.usrfiles.com/ugd/277b62_f535d7065c0d4b8db51229d2d2ed613c.pdf
    • https://static.usrfiles.com/ugd/b8c837_39f5b171722548ff9983643edcae0a0e.pdf
    • https://static.usrfiles.com/ugd/de65f7_aa8ab01ea4ba472db6b55aaf9213a185.pdf
    • https://static.usrfiles.com/ugd/b8c837_9ad48b43fafa4531af53524faa141fbf.pdf
    • https://static.usrfiles.com/ugd/b910ae_20f27716100a48239d2162a00030e150.pdf
    • https://static.usrfiles.com/ugd/eb6612_f0651ce89c8042e7bf41670c56d5d99a.pdf
    • https://static.usrfiles.com/ugd/88a84f_5ead95c8d53a492684692f7fdfedec00.pdf
    • https://static.usrfiles.com/ugd/92ee2b_d48d306e70f24077974c417c46e09c58.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007ded.bin
a321b65a7a0d9d6d4cc0c5d2b42a15505c97b136a7762d7448cbace09acddabf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DED 5368 bytes
font_01_sfnt_off00009012.bin
2872c00ea17baadccc7000618fa710f251e2099efc33f82cee3cad7d28fa51ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9012 12084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.