Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6f9e48430b699ce…

MALICIOUS

PDF

39.1 KB Created: 2020-09-04 13:00:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03f7dd34066558d38002adfbcb794978 SHA-1: 82f50562ae0144aa4ef7886c0e800a4ed25af9f8 SHA-256: c6f9e48430b699ce6d93c63ad9f8a398e3c78c1b6961cca5675510289b1fd0a2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=effectuated+enrollment+report'. This URL is likely used to redirect users to malicious content. The document body, though heavily obfuscated, contains text fragments and URLs that align with a social engineering lure, attempting to disguise itself as an 'enrollment report'. The presence of numerous other PDF links, many pointing to static.usrfiles.com, suggests a link farm or redirection strategy to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=effectuated+enrollment+report
    • https://static.usrfiles.com/ugd/8ba634_5bf4f4e21812462f9741b13d4e9101b1.pdf
    • https://static.usrfiles.com/ugd/10a4aa_d2f50d3b6cf646308bd620aca3d734a9.pdf
    • https://static.usrfiles.com/ugd/1e11d0_b8cd95b56a6c492b800836fd33a03aa4.pdf
    • https://static.usrfiles.com/ugd/b8c837_aa2cf6b96ada42b1abdcefda0868898e.pdf
    • https://static.usrfiles.com/ugd/b8c837_fd3659b497844cf6a7dd355e08143771.pdf
    • https://static.usrfiles.com/ugd/a8cc01_5fa3a456e9514496975589fed2d0eaf8.pdf
    • https://static.usrfiles.com/ugd/79e0dc_80de92d965914f2ab757e7a5a249f6b1.pdf
    • https://static.usrfiles.com/ugd/724fb5_8e24894121d84894a4daaeb27b936cba.pdf
    • https://static.usrfiles.com/ugd/9e41f0_6aa451392159487c8e9a14be4caff155.pdf
    • https://static.usrfiles.com/ugd/9c58c5_1888de6c6a9e497f93fb1baa310544fc.pdf
    • https://static.usrfiles.com/ugd/08fe48_a697c229bea24db1b4100828fe20fbf1.pdf
    • https://cdn.shopify.com/s/files/1/0429/0389/6230/files/new_bollywood_movies_mkv_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/85755015361.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nulanevu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c62.bin
d3ab1cf0ad21a133d7e5afd9121de6515c1a1f3fadf4f0d26bd576bbdb54f11c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C62 5080 bytes
font_01_sfnt_off00006d9e.bin
2dc83b9e1dfc8c2380a804ec28c795144214dfdd091056c06da9c0a7c0499bf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D9E 10032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.