Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb8f8ea2113f77e2…

MALICIOUS

PDF

44.1 KB Created: 2020-09-07 03:31:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d673cc21d7b780b9db80ade9acf69fd8 SHA-1: 2b0b9418e64f0d4bda0fbd4ea2b23f9fd13a13b3 SHA-256: bb8f8ea2113f77e205292dc31f2833664af8fbc6d7ef737c60235733e3b58a35
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.me/wix?keyword=reported+speech+online+test+for+class+7'. Additionally, it features a large number of external PDF links, many hosted on static.usrfiles.com, suggesting a link farm or SEO poisoning attempt. The document body, though heavily obfuscated, contains the same lure text as the malicious URL, indicating a social engineering attempt to trick users into clicking the link. No scripts were extracted, but the presence of a malicious redirector and the lure text strongly suggest a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=reported+speech+online+test+for+class+7
    • https://static.usrfiles.com/ugd/d38238_19c0e8dd84ee4a8eb968b7572b7e9761.pdf
    • https://static.usrfiles.com/ugd/ab059d_e209d7c453fe486eaa3715598bbd1c36.pdf
    • https://static.usrfiles.com/ugd/5438e3_075bb1dc00174e48b9e5568225e2668f.pdf
    • https://static.usrfiles.com/ugd/4bb103_b09ae2df18a645528ea4be54af71bae5.pdf
    • https://cdn.shopify.com/s/files/1/0431/2009/9488/files/37890729705.pdf
    • https://cdn.shopify.com/s/files/1/0463/1638/8509/files/buying_behaviour_model.pdf
    • https://cdn.shopify.com/s/files/1/0431/5371/9452/files/40968987071.pdf
    • https://cdn.shopify.com/s/files/1/0437/6464/6042/files/wetamuvezo.pdf
    • https://cdn.shopify.com/s/files/1/0436/4225/7561/files/astm_a572_a572m.pdf
    • https://cdn.shopify.com/s/files/1/0429/1585/6550/files/dafuraju.pdf
    • https://cdn.shopify.com/s/files/1/0462/4442/9984/files/fighting_boy_meets_girl.pdf
    • https://static.usrfiles.com/ugd/8f6098_4665cd007b314addb9becf8aef57b8dd.pdf
    • https://static.usrfiles.com/ugd/8ba634_8222a289f2164685a7fea5ecaa359cff.pdf
    • https://static.usrfiles.com/ugd/625844_3099c8dbb2f449beba4b4ff971e1f6b2.pdf
    • https://static.usrfiles.com/ugd/2d797c_a1053958624e4a4b8a7e575e5c971b92.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e9e.bin
ffd501a26c626e340cbcb563ee151985367114030cfaf1d4269b07675340ee23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E9E 5332 bytes
font_01_sfnt_off000080c9.bin
12dd99c245cf8079c90dabce27dd905d7215b3c441b4a57900abc9c58cd0291b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80C9 10224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.