Malicious PDF — malware analysis report

Static analysis result for SHA-256 c24ecd7461a074d7…

MALICIOUS

PDF

33.6 KB Created: 2020-09-09 14:43:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0342c2c19b78d359f6ad067b01891cef SHA-1: d3f88e582cf2177859c5339729c3015af6d04c82 SHA-256: c24ecd7461a074d7eb713d125a95d2cafc0c5f6739f5c6714663c81ea64b989d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to ttraff.ru. This URL is presented within the document body, disguised as search results for 'latest bhojpuri video song 2019'. The document also contains a PDF link farm heuristic, indicating it hosts numerous external links, with the first identified link being to static.usrfiles.com. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=latest+bhojpuri+video+song++2019
    • https://static.usrfiles.com/ugd/8b2c09_ff9d1e49f3d84309abadcc39ef8c2a0c.pdf
    • https://static.usrfiles.com/ugd/b8c837_8041330707dd494c971443e5c356c8ae.pdf
    • https://static.usrfiles.com/ugd/dad7b5_0fd3ed478741444c9ed3c75cc90f6d29.pdf
    • https://static.usrfiles.com/ugd/76de1a_576b4e9ff45b4568bada1faa24436f69.pdf
    • https://static.usrfiles.com/ugd/2a2e94_f61c2599dd0941fca1c2f473e697688d.pdf
    • https://static.usrfiles.com/ugd/9cfd0a_2c4f50fe907042d7975b36d52b888771.pdf
    • https://static.usrfiles.com/ugd/9e14ca_f0e9f6f469614967b2a84cf54b53a16c.pdf
    • https://static.usrfiles.com/ugd/df73ab_1f188dcfdf394b9bb4a1ebaae0f07b95.pdf
    • https://cdn.shopify.com/s/files/1/0452/5611/4337/files/broker_agreement_template_south_africa.pdf
    • https://cdn.shopify.com/s/files/1/0427/8976/5279/files/tedop.pdf
    • https://cdn.shopify.com/s/files/1/0437/7506/6273/files/96349816044.pdf
    • https://cdn.shopify.com/s/files/1/0438/0862/0701/files/gikexoxukebip.pdf
    • https://cdn.shopify.com/s/files/1/0434/9339/2536/files/abecedario_coreano_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0434/8909/9938/files/fifupagokemetupor.pdf
    • https://cdn.shopify.com/s/files/1/0429/8774/9525/files/84704534285.pdf
    • https://cdn.shopify.com/s/files/1/0434/5056/4773/files/sakidow.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000045d0.bin
ff2d5e2468ae894511798795824a83ea034d2a8049733c485d14a5b912970f52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45D0 5888 bytes
font_01_sfnt_off000059de.bin
4f4e97952df944f0a5abb197035b3d751d1286d22ad514f13a2045a1d2920976		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59DE 9316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.