Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc272715aa36af36…

MALICIOUS

PDF

40.8 KB Created: 2020-09-07 10:40:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c1d8f2f726e8ea2aeb9a7e2a633d9e1f SHA-1: b4924348a02bf01a1377d6d47da15c18469f6cac SHA-256: cc272715aa36af367b8cc7e74d9b554e867b6c696ff05f33d317b7ac4f1e3fbe
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded links that point to a known malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure, referencing a 'user manual for samsung qled tv' and including the malicious URL. The heuristic firings confirm the presence of malicious redirector links and a link farm, indicating a phishing or social engineering attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=user+manual+for+samsung+qled+tv
    • https://static.usrfiles.com/ugd/227d0f_6deb6412c35a4ab5a5b7b9a57d8a0480.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_e7848b876feb4d5690b727a0366b66ae.pdf
    • https://static.usrfiles.com/ugd/a58502_bb40295c671e486db5220212c291e4f7.pdf
    • https://static.usrfiles.com/ugd/b8c837_68ddddd5a1754db5928c765591c206e2.pdf
    • https://cdn.shopify.com/s/files/1/0440/7833/4117/files/titanic_online_scavenger_hunt.pdf
    • https://static.usrfiles.com/ugd/8f6098_243d674b3c5646f0bfa20c7b697fe916.pdf
    • https://static.usrfiles.com/ugd/0c8cc8_0f86de002c9e4581a169871c5ad83b15.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b2e3296347541adbc8f1a04cf718a93.pdf
    • https://static.usrfiles.com/ugd/b8c837_66c63703024c45c3942bc6ac7713b1aa.pdf
    • https://static.usrfiles.com/ugd/1cc777_df62a361e8e347c1b9db92c7fbf63b8a.pdf
    • https://static.usrfiles.com/ugd/9734e7_3af41a9936274b35836c24fe55fdcdb4.pdf
    • https://static.usrfiles.com/ugd/f65518_fa43f63fff7b464f85d80c47063c7e9d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006109.bin
f86832d983276d6c6e78c6463b83f06d22cc39b209ce0368a9cfdc9b153ec410		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6109 5404 bytes
font_01_sfnt_off00007351.bin
81b65224308c51baddc290a18cb8d001dc013c2bf568f6ec333b836524e4e37a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7351 10340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.