Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc5702c05150f100…

MALICIOUS

PDF

41.1 KB Created: 2020-08-30 09:22:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9edfc1b55960a9cedd9332ca63b3913c SHA-1: 38dd0b13b412f6172887d9ab72e781e9db82e89c SHA-256: cc5702c05150f100866b0843eb8c10f28809117ae6645cda705a56fc29f5cc49
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.me/wix?keyword=jeu+de+patience+tome+4+pdf'. Additionally, it exhibits characteristics of a PDF SEO link farm, with numerous links to PDFs hosted on 'static.usrfiles.com'. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains references to the malicious URL and benign-looking PDF links, suggesting a lure to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=jeu+de+patience+tome+4+pdf
    • https://static.usrfiles.com/ugd/b8c837_10d67812611b4847826248b5193855b4.pdf
    • https://static.usrfiles.com/ugd/a771bd_696263ea5f874c96a8127a3ec2ff79a9.pdf
    • https://static.usrfiles.com/ugd/b8c837_5def78df6d9a4c24803373e69d6f63c3.pdf
    • https://static.usrfiles.com/ugd/affb4a_5367510667ab490aa9f612485dcb22b2.pdf
    • https://static.usrfiles.com/ugd/16a96a_575490ab0bc345639950f7b38c57a667.pdf
    • https://static.usrfiles.com/ugd/b8c837_d27470ce9b60460db4db6588a0ddc319.pdf
    • https://static.usrfiles.com/ugd/b8c837_c05975b7ef7d48009a5b7e423293b265.pdf
    • https://static.usrfiles.com/ugd/b8c837_b0869b92a508407a95528e431fe236b3.pdf
    • https://static.usrfiles.com/ugd/b8c837_826862b38dcf4198a515204c0634ecba.pdf
    • https://static.usrfiles.com/ugd/b8c837_70fa9ad2f64145bc96ffa54f0b6d7146.pdf
    • https://static.usrfiles.com/ugd/b8c837_d38ddbb468934632b2c0b4658c6776b2.pdf
    • https://static.usrfiles.com/ugd/63d3ad_7724b479d2794a0db673ac2423d1e868.pdf
    • https://static.usrfiles.com/ugd/b8c837_96a5ec8415224b5082beb56add50a40d.pdf
    • https://static.usrfiles.com/ugd/3e9e83_2c70edff5fdd4d419456d3b1344e8ddd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006218.bin
a82d4dd9e3e5499bd52b8113347ce2170bbb82ce1789dcc1e2b36ea7bbb2eba2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6218 5072 bytes
font_01_sfnt_off00007351.bin
be281f13e9495be491e833b92a2dad7259cb3c3b1110d65622521ca3fff3a8b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7351 11560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.