Malicious PDF — malware analysis report

Static analysis result for SHA-256 d05694c1f6186d21…

MALICIOUS

PDF

38.9 KB Created: 2020-08-30 07:40:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb28a1efd0ec340b3d8a2e6bef454b57 SHA-1: c63eecc54d03e0487641670f20f10b8d151e936e SHA-256: d05694c1f6186d21a449f50ceae878cbfd8cb963260bfbad2273e88a5e1d7386
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a search result for a product manual. This suggests a social engineering tactic to trick users into visiting a malicious site. The PDF also exhibits characteristics of a link farm, with numerous embedded links to external PDFs, likely for SEO manipulation or to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=sony+460x+digital+zoom+handycam+manual
    • https://static.usrfiles.com/ugd/b8c837_93acebf79db545608ff8a3e82f9c4b1b.pdf
    • https://static.usrfiles.com/ugd/b8c837_acf7e84155ca4fe594712a62d09d1253.pdf
    • https://static.usrfiles.com/ugd/b8c837_5f4268ca41754053a2a6a39ffcbcf2ba.pdf
    • https://static.usrfiles.com/ugd/b8c837_6dc7f39e312144e18ce24ed2f66e7f4e.pdf
    • https://static.usrfiles.com/ugd/b8c837_7c8bc529c4e34f1496d0b4591b5addac.pdf
    • https://static.usrfiles.com/ugd/a4d998_d86e7d938ca549cfab715f126a1329fe.pdf
    • https://static.usrfiles.com/ugd/3f80ec_341b98b2c79543648760de8fffadd5c2.pdf
    • https://static.usrfiles.com/ugd/b8c837_b2d3ad00f82e41b29ca32be804017d62.pdf
    • https://static.usrfiles.com/ugd/aef5b7_6326be1c48664adda93350cdc1bf34aa.pdf
    • https://static.usrfiles.com/ugd/4f270c_0956d0dbce784d71abd519d99812ff18.pdf
    • https://static.usrfiles.com/ugd/b8c837_108fc8ab29a64a10a410ea0c5d2b291a.pdf
    • https://static.usrfiles.com/ugd/9cb927_6c1cf160cf844e94b48b7b9f6e9dbe3d.pdf
    • https://static.usrfiles.com/ugd/b8c837_b02d5dd660a24be2bac38fd87c4b71f8.pdf
    • https://static.usrfiles.com/ugd/191a6d_a41dcc31cc8f41a286b89530f59a78b4.pdf
    • https://static.usrfiles.com/ugd/20d83a_bde9148329ef4dab8453dc5481316252.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057e7.bin
e7f88600952b3f3201122feef29804ceb4a267707575145c6529eb935e8814af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57E7 5784 bytes
font_01_sfnt_off00006b86.bin
6ce95fefdc22c8fb0ee25d35ab09a05796b0151bcda57c0da5464cb814221f60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B86 10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.