Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1fe05e37f1ab888…

MALICIOUS

PDF

49.5 KB Created: 2020-09-05 09:55:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0c865d36260ca63c52d1b4406c984187 SHA-1: 00afa20ded0495e5e8037cdb184a1a443bb5bdcb SHA-256: b1fe05e37f1ab8882864fe364fc9ce522c4870cec0c945e1ac41c8bdbd656b76
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.club/wix?keyword=bhojpuri+picture+video+ing+2013'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links pointing to external PDFs hosted on 'static.usrfiles.com'. The ML classifier strongly supports the malicious verdict. No scripts were extracted, and the document body is heavily obfuscated, but the presence of the malicious redirector is sufficient evidence of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=bhojpuri+picture+video+ing+2013
    • https://static.usrfiles.com/ugd/c1615c_c19a247a60914e8ea2089e13cae4ab0e.pdf
    • https://static.usrfiles.com/ugd/bb10c5_0120a7ed976e4b0fb44576a1ccdba03f.pdf
    • https://static.usrfiles.com/ugd/74c34a_dd2ed9a4c304400594d3afac0012e836.pdf
    • https://static.usrfiles.com/ugd/0511f5_1534101cbc3e4d058bedf1ba601a125b.pdf
    • https://static.usrfiles.com/ugd/b8c837_bc9582373ae4414cba0973542ec4f21e.pdf
    • https://static.usrfiles.com/ugd/a640e9_5156f05f9faa4ec88a624f6a1671fb26.pdf
    • https://static.usrfiles.com/ugd/b8bbd7_bcdb0ace567a4bf5a369772ea85d49c8.pdf
    • https://static.usrfiles.com/ugd/296484_9013ba3bacfb4f21a607ddf136cf5859.pdf
    • https://static.usrfiles.com/ugd/9e41f0_dd65b446f19f405f879f7c3b49f5a0b9.pdf
    • https://cdn.shopify.com/s/files/1/0432/2318/7614/files/division_of_fractions_worksheets_for_7th_grade.pdf
    • https://cdn.shopify.com/s/files/1/0440/7322/2294/files/gaxulevexekufuluw.pdf
    • https://cdn.shopify.com/s/files/1/0431/8468/5224/files/12605869087.pdf
    • https://cdn.shopify.com/s/files/1/0432/8914/9608/files/73524009507.pdf
    • https://cdn.shopify.com/s/files/1/0430/1144/0803/files/9162405925.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b87.bin
e52d49f44f60665f73ca7e2df4e0d43f48a45bd9cc7cf7fc23a4093958a46cf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B87 5592 bytes
font_01_sfnt_off00006ea6.bin
7bc040742c418dc13c19b3922fab5083e3175fdc8bd57496482b7bc4bff52b5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EA6 3228 bytes
font_02_sfnt_off00007bf9.bin
3c684e2580e6269c356eeb64ed654d70fc76d6f69f55dc95cc23a6aa56078d72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BF9 11708 bytes
font_03_sfnt_off0000a2bf.bin
277aec5bb07adc9cb196a1e445b7a87abde9fc1dbe6b034cab180b3aabd02737		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2BF 16292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.