Malicious PDF — malware analysis report

Static analysis result for SHA-256 c11b66d659e201e6…

MALICIOUS

PDF

44.8 KB Created: 2020-08-31 05:39:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 010df8cd0e9cc59d3f8da7f3962274b7 SHA-1: f0dc87fe38407779ecb40b05690e6287416b370c SHA-256: c11b66d659e201e6b4adc9903f93b55bf71d676b8bbd3ce2dc8ae9e83ee062e0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.com. This URL is used in a lure to download a Samsung driver. The document body also contains this URL, reinforcing its role in the attack. The PDF also contains a large number of external links, suggesting a link farm or SEO poisoning attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=driver+samsung+ml+2165w+download
    • https://static.usrfiles.com/ugd/dd4472_597a5e739b17481fa13adaaea852a19f.pdf
    • https://static.usrfiles.com/ugd/47b1e8_855d0383d9da43a5a1cc1e8d9ec305ad.pdf
    • https://static.usrfiles.com/ugd/bdeb4c_8366deecc44b4b4d9983b4c6b292778b.pdf
    • https://static.usrfiles.com/ugd/314c35_e6511e02b09f42138aa308f83f4747fd.pdf
    • https://cdn.shopify.com/s/files/1/0428/7276/6631/files/69456206691.pdf
    • https://cdn.shopify.com/s/files/1/0434/2926/5574/files/lemivubifana.pdf
    • https://cdn.shopify.com/s/files/1/0429/9682/6261/files/tenotageriwarowupetegig.pdf
    • https://cdn.shopify.com/s/files/1/0432/3131/4077/files/dekobemodevabazifaluribeb.pdf
    • https://cdn.shopify.com/s/files/1/0431/0702/5060/files/fanuvininegaxinifi.pdf
    • https://cdn.shopify.com/s/files/1/0433/2191/7598/files/13205015314.pdf
    • https://cdn.shopify.com/s/files/1/0433/9197/5580/files/sovasovubuliruguzawere.pdf
    • https://cdn.shopify.com/s/files/1/0431/3874/4469/files/goroxozo.pdf
    • https://cdn.shopify.com/s/files/1/0430/0147/9321/files/29638717169.pdf
    • https://cdn.shopify.com/s/files/1/0435/4850/8311/files/11639265988.pdf
    • https://cdn.shopify.com/s/files/1/0430/8480/8346/files/90235130856.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005638.bin
a16d78b4e765d5ee2bbe34147faa0d9708ca9f4bd36cf3b090d8d65c0d41a973		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5638 6548 bytes
font_01_sfnt_off0000668f.bin
1b0b1f9eeb54e017ce8fca0d11cfd9e610ac2ff48780fd4f3dbde44263b72bc7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x668F 5756 bytes
font_02_sfnt_off00007a32.bin
ab9b20d8007fbe030602149bc08ad167badd06bb4bb84bacb77de323ad226c53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A32 14228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.