Malicious PDF — malware analysis report

Static analysis result for SHA-256 b362f7905839f1ad…

MALICIOUS

PDF

47.8 KB Created: 2020-08-29 02:03:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf6f645f0b482613fc311ab259dbe57a SHA-1: 6eff5fb4170373e0e737d2203e4632e96c9779e8 SHA-256: b362f7905839f1ad5dc65f2cf17fb0b66c2ae1f5a0aa7aef00ffa5bedc5e96da
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a resource for interpreting SPSS output. This suggests a social engineering lure to direct users to malicious infrastructure. The PDF also contains a large number of embedded links, many pointing to static.usrfiles.com, which is indicative of SEO poisoning or link farming techniques to obscure the malicious redirector. No scripts were extracted, but the primary malicious activity appears to be the redirection to the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=interpret+repeated+measures+anova+output+spss
    • https://static.usrfiles.com/ugd/b8c837_476e506ee621455a999c44bbb08bdf8b.pdf
    • https://static.usrfiles.com/ugd/b8c837_7e7360412984469a97cd9c77fa8ca99b.pdf
    • https://static.usrfiles.com/ugd/b8c837_3a888254db0e487a9d5dedefc3f79604.pdf
    • https://static.usrfiles.com/ugd/b8c837_719c5dcdcfe849dfae97a78cf33d54d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_1f4143c3fc0849e3a9f8ae1afe812a87.pdf
    • https://static.usrfiles.com/ugd/b8c837_93fb442f601d4f1396acf8fe3e42e002.pdf
    • https://static.usrfiles.com/ugd/b8c837_db432302575d4badb9a9a30699d2c826.pdf
    • https://static.usrfiles.com/ugd/b8c837_527e1dd520674f53a0cf9c4579a140c3.pdf
    • https://static.usrfiles.com/ugd/b8c837_ec31714a27b74abebb7d7c62c86ad74a.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa43847652b8432c94fa547f8ebc3882.pdf
    • https://static.usrfiles.com/ugd/b8c837_964c2ae144f34a40bc95ae92fd1534ee.pdf
    • https://cdn.shopify.com/s/files/1/0434/2143/4023/files/52100765814.pdf
    • https://cdn.shopify.com/s/files/1/0434/6845/6088/files/nirerokepixunolus.pdf
    • https://cdn.shopify.com/s/files/1/0430/0872/1045/files/kupixora.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/87932640634.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c91.bin
7d7cbca57cf406ea658313c4a2aab76adbbfc97f87675d00a6344a09fff9a6e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C91 5068 bytes
font_01_sfnt_off00008db0.bin
6055eab43f9b44a0a8c3bf70bafd9f47b5648a7236395052ad78ee655704dfd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DB0 10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.