PDF malware analysis — malicious · cbc088ae22c2fdc3

MALICIOUS

PDF

38.3 KB Created: 2020-08-31 02:13:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 2498c6e6a8e29c8fae4915ca9e1690bd SHA-1: 6b84b655594fcd9a9f579d4bcd7d358ec8085638 SHA-256: cbc088ae22c2fdc3079c12c2d01f4dcf892468cd959071858537baf8a4a31d5b

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with multiple URLs pointing to static.usrfiles.com, and a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK. The primary malicious URL is https://ttraff.ru/wix?keyword=law+for+business+12th+edition, which is likely used to redirect users to a malicious site. The document body, though heavily obfuscated, contains text related to 'law for business' and the malicious URL, suggesting a lure to disguise the malicious intent. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=law+for+business+12th+edition
- https://static.usrfiles.com/ugd/ade4e6_ca3590ddfad64488a6ef1c5960435ca5.pdf
- https://static.usrfiles.com/ugd/a298ce_ea1445e6cfcf4ffeb51c2d208fde2534.pdf
- https://static.usrfiles.com/ugd/b8c837_3e23a41186604fdda221f1467e8a191e.pdf
- https://static.usrfiles.com/ugd/63022f_3a10c8f206f64652ad1a4c55e924c9af.pdf
- https://static.usrfiles.com/ugd/79e5df_f316a58a5f4f40ca9956332e29356c8f.pdf
- https://static.usrfiles.com/ugd/b8c837_506f562396bf4f09bcbc7d1bd30129cd.pdf
- https://static.usrfiles.com/ugd/913720_caa46e6da19e4048b94064861b30900d.pdf
- https://static.usrfiles.com/ugd/b13fd1_37fd25db81594a36a584f2f73cef272d.pdf
- https://static.usrfiles.com/ugd/b8c837_7877b9763f2e40b19743e642d20e898c.pdf
- https://cdn.shopify.com/s/files/1/0428/8276/0870/files/gazesirusokevimuxupidiz.pdf
- https://cdn.shopify.com/s/files/1/0436/9973/2635/files/rokunawavosozonafigun.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004abd.bin` `a2ecf76f17abded45765de66d8e26bde8a7548e59973003e76f3eb662edbb3d9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4ABD	5320 bytes
`font_01_sfnt_off00005ce8.bin` `4ccb82fdacb1e75eaebe02767398b112526af038ad9537847846651c6e0457d0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5CE8	14212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.