Malicious PDF — malware analysis report

Static analysis result for SHA-256 b753b35f2fa3b191…

MALICIOUS

PDF

45.7 KB Created: 2020-09-02 00:29:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc0a9eb8ef56639e9ccb20a0f2dc0891 SHA-1: e07bbf1f8f53f6a74cc9258778cbe0d43540d274 SHA-256: b753b35f2fa3b19181747b1c1286bc3392cf1e44090f9632d34b072035d0d2f3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a link farm designed to redirect users. One prominent URL, 'https://ttraff.cc/wix?keyword=muscle+gain+diet+plan+pdf+vegetarian', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL and other links to static.usrfiles.com, suggesting a lure to external malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=muscle+gain+diet+plan+pdf+vegetarian
    • https://static.usrfiles.com/ugd/0dcf4b_eb3ef48dc30d41a390ed4a0b081371a2.pdf
    • https://static.usrfiles.com/ugd/934fc3_53a215d7d96e48e28050b71b470d42fc.pdf
    • https://static.usrfiles.com/ugd/6f53d7_d031ac6cf9174d709f692bc50be1cb44.pdf
    • https://static.usrfiles.com/ugd/a107db_f33bca3b7659450085b688cda3dbe703.pdf
    • https://static.usrfiles.com/ugd/e4a001_411a3bdd22e94fbdba1521142038ae6a.pdf
    • https://static.usrfiles.com/ugd/ff2e72_fe34dfb6b8d144a184c8a29e6f2ff7a0.pdf
    • https://static.usrfiles.com/ugd/b8c837_7c626649102a4549a26980a6f02a05ce.pdf
    • https://static.usrfiles.com/ugd/34ec99_72301d38fcc4415f99694f87451fb542.pdf
    • https://static.usrfiles.com/ugd/01e791_6e89f686a7ca4a8194e2efbb154b0377.pdf
    • https://static.usrfiles.com/ugd/9734e7_39f38ab69ff1448e8e99c13556b59334.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_7fc0c36a5c464490878b381a99884f60.pdf
    • https://static.usrfiles.com/ugd/b8c837_61f9a956a804494d9c3f16d03c9cedbb.pdf
    • https://static.usrfiles.com/ugd/b91566_da7a3bdeb9a0459492ece87360802d7e.pdf
    • https://static.usrfiles.com/ugd/37987b_7fe0473036a94fa284b2d1218dc187e2.pdf
    • https://static.usrfiles.com/ugd/11f207_3caba63af7104c5797bff55d01765bf8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006848.bin
a42ddfa5c62d75a1d7a8cad480b55361d8cde6d4767e025ecf7129ce806cd4c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6848 5160 bytes
font_01_sfnt_off000079f2.bin
fcd776cfd8ad20cf83a083e10b86a35ec6894490dd23a3acc5c1d30228cb89e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79F2 9944 bytes
font_02_sfnt_off00009be9.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BE9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.