Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca4cd85a5069b0bd…

MALICIOUS

PDF

61.9 KB Created: 2020-09-10 03:02:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17bcc0d925cb98164e8d94f04e8d6d73 SHA-1: 30641e8a28e289060fa04aa044d0d58053f71de8 SHA-256: ca4cd85a5069b0bdf96a26954bc0a50f83971c750cfc0bd2f57d33f06f9745ac
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.club'. This URL is embedded within the document body, disguised as a worksheet title. The PDF also exhibits characteristics of a link farm, with numerous external links, many hosted on 'static.usrfiles.com'. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack vector appears to be social engineering via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=osmosis+and+diffusion+practice+worksheet
    • http://files.kauaicleaningdoneright.com/uploads/1/3/1/3/131380175/608e942.pdf
    • http://files.aprilborrelli.com/uploads/1/3/1/4/131452949/3910319.pdf
    • http://temavisi.pcaknights.org/uploads/1/3/1/6/131606490/5303793.pdf
    • http://files.movris.com/uploads/1/3/2/7/132741339/75de47a18e05c.pdf
    • http://files.godancedynamics.com/uploads/1/3/2/7/132740339/9c10ecee8.pdf
    • https://static.usrfiles.com/ugd/6da380_bef9f8f0a9db4fbfa65e4bc42fcded44.pdf
    • https://static.usrfiles.com/ugd/99a8f2_3b94d1ec81274f57bf762a8d847e57c6.pdf
    • https://static.usrfiles.com/ugd/ced2dc_55edefbd737e483fa4fa215ad5082a32.pdf
    • https://static.usrfiles.com/ugd/e4ff69_2ebc2f92e87243849dc5b2c6f4a3c394.pdf
    • https://static.usrfiles.com/ugd/35e1ce_de150d91de334ef8a1fe867dde8d3f6e.pdf
    • https://cdn.shopify.com/s/files/1/0431/1541/3661/files/20220283167.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mafimovudowejiner.pdf
    • https://cdn.shopify.com/s/files/1/0436/0686/8131/files/sonic_porn_gifs.pdf
    • https://cdn.shopify.com/s/files/1/0432/8315/3056/files/durevagiferesoxatat.pdf
    • https://cdn.shopify.com/s/files/1/0437/6900/4190/files/umbrella_academy_comics_fr.pdf
    • https://cdn.shopify.com/s/files/1/0464/6027/2808/files/windows_10_recovery_boot_usb.pdf
    • https://cdn.shopify.com/s/files/1/0434/4214/3397/files/mibob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a929.bin
85b692c1c636aed9ab1240d2a7361179fdd6c0849396a06064984f922e967b4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA929 2828 bytes
font_01_sfnt_off0000b323.bin
3a0fb953e2f54d3fe597d7fe53a4b50fad7b1eee9821da115b1cdfa67bcbd7b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB323 5544 bytes
font_02_sfnt_off0000c5e4.bin
6329460db14876c3402400a271f5ca3795f8cea6cde0dade890552ea4a28045d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5E4 9876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.