Malicious PDF — malware analysis report

Static analysis result for SHA-256 c70d4e6b5cbebf9c…

MALICIOUS

PDF

36.5 KB Created: 2020-08-31 05:43:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01bcb0a7b9ee8fd772dbdbf48c283c4e SHA-1: 02d65d9d6708c877072e02ec6d79c362c381d78c SHA-256: c70d4e6b5cbebf9c0e5fd66637cda6cd571676b9cee2da602a5e4d135a492e54
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the same malicious URL and a reference to 'wkhtmltopdf', suggesting it was generated programmatically to host these links. The primary intent appears to be directing users to malicious infrastructure via the 'ttraff.com' URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=acgih+2019+portugues+comprar
    • https://static.usrfiles.com/ugd/b444d4_36e1e96343fb4d419c8f5c12ee8fb2d3.pdf
    • https://static.usrfiles.com/ugd/3de8a6_a380e5bf7ae948acba2b4e12fe0d06ff.pdf
    • https://static.usrfiles.com/ugd/3e5d97_4832ae7c36bc426583f4b9facbebaf8e.pdf
    • https://static.usrfiles.com/ugd/7baf93_985a3de99f7d4e00a034b9472eddbfdd.pdf
    • https://static.usrfiles.com/ugd/bfbc46_c89573614727403180a8af88caf74e07.pdf
    • https://cdn.shopify.com/s/files/1/0443/9290/6918/files/kali_linux_highly_compressed_iso_free.pdf
    • https://cdn.shopify.com/s/files/1/0450/6674/8056/files/surah_ar_rahman_bangla_pronunciation.pdf
    • https://cdn.shopify.com/s/files/1/0428/6621/3031/files/anatolian_languages.pdf
    • https://static.usrfiles.com/ugd/b8c837_258c5ebfe2f44e61ae08dfc4b160009d.pdf
    • https://static.usrfiles.com/ugd/ab922d_1e88895fd54e46e7ada75ffa86061003.pdf
    • https://static.usrfiles.com/ugd/a4d998_b7ec17b22c4a408a9c9c00bb860c2a34.pdf
    • https://cdn.shopify.com/s/files/1/0431/5434/2042/files/jojovijib.pdf
    • https://cdn.shopify.com/s/files/1/0427/4126/8647/files/17324237055.pdf
    • https://cdn.shopify.com/s/files/1/0434/8647/8489/files/ov_guide_adult.pdf
    • https://cdn.shopify.com/s/files/1/0429/2601/4620/files/rimerurevazufijitav.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c9a.bin
ecb30a34d1b09f471cb956b3fdfc7fe1feaaa59652624c87084eb1eef16df27e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C9A 5788 bytes
font_01_sfnt_off00006034.bin
37bb07929c9ed9b3c0067b8a6b27ed520a69887c42390e94cc7313db5787cb8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6034 10316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.