Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf0a6c017f02b363…

MALICIOUS

PDF

58.0 KB Created: 2020-08-30 15:40:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f9f4798557b88c457f66664f76472db7 SHA-1: 878de0ef9ecf3aa8dbcf1d7ea09843a4031aaf89 SHA-256: bf0a6c017f02b36394f7207ac70166d8647f45b377859c6c1dd6fe2bbed3629f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely used to lead the user to a phishing or malware distribution site. The embedded URL is disguised with a keyword related to a game, suggesting a social engineering lure. The ML classifier strongly flagged this PDF as malicious, and the presence of a link farm further supports malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=lightforged+draenei+paladin+mount
    • https://static.usrfiles.com/ugd/b8c837_fac12a86590b4132b6abe6c0d0b3c924.pdf
    • https://static.usrfiles.com/ugd/93971e_58ae00a6db2b4c729455a59bee1cf6e2.pdf
    • https://static.usrfiles.com/ugd/8ab72e_eb2a69241b5f4a1d90f8bca900a69428.pdf
    • https://static.usrfiles.com/ugd/accd1f_d825424877fb433480568c4a9e9ca164.pdf
    • https://static.usrfiles.com/ugd/bfbc46_397f598fca6a45b79892100704e80632.pdf
    • https://static.usrfiles.com/ugd/191a6d_54a4e9af45824f20a2d73041ac3e8c74.pdf
    • https://static.usrfiles.com/ugd/67f5f7_da884641d90e4e3b8517352ca7264b82.pdf
    • https://static.usrfiles.com/ugd/b8c837_db74ee35a5e246d69909103f5f0c5f7d.pdf
    • https://static.usrfiles.com/ugd/1e32c2_f4bbd901888346dc81ad7ccd3509e4b3.pdf
    • https://cdn.shopify.com/s/files/1/0432/7312/6052/files/29015732861.pdf
    • https://cdn.shopify.com/s/files/1/0429/7188/9815/files/85251814311.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a552.bin
d2dcd954dbb0d6fd9de5394454a8f0e2aaa823c876d7282eb652c439f82bc3b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA552 5216 bytes
font_01_sfnt_off0000b6ec.bin
4e97c33748c18a58130a3e181337f8a093fa52440ed381bb2c7dde4b00238bb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB6EC 10888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.