Malicious PDF — malware analysis report

Static analysis result for SHA-256 d23d6230c0ed0981…

MALICIOUS

PDF

43.7 KB Created: 2020-08-30 19:57:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9b96524c0710f0849af387fd08a05fb SHA-1: 404d0f2f1bf448742d4c11f0977e83c10949518f SHA-256: d23d6230c0ed0981b8cbcf4db973fe2222ccbcf1af3ec37650ac0bb7c3beb486
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=rebirth+2+the+life+taker'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links to external PDFs hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the same redirector URL. This suggests a social engineering attack aiming to lure the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=rebirth+2+the+life+taker
    • https://static.usrfiles.com/ugd/105a8c_2e7083fa34e6489e936e67d33f1676c2.pdf
    • https://static.usrfiles.com/ugd/b8c837_126fc4e8036b4a018433c4911e9352bf.pdf
    • https://static.usrfiles.com/ugd/409ca8_d6b8a35accd54a4db324c0e7f3e47c16.pdf
    • https://static.usrfiles.com/ugd/451a43_bf23ddd615644065978daee822b166b5.pdf
    • https://static.usrfiles.com/ugd/538d67_8000a702eb5f40aa9a64bddc3ed79b66.pdf
    • https://static.usrfiles.com/ugd/b8c837_4fac8b22f7e44a8093401ab03043d3a5.pdf
    • https://static.usrfiles.com/ugd/2ca09c_4796498e8333463db6304636bfa31228.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc2ca64bcc87477fb5d65930b045d250.pdf
    • https://static.usrfiles.com/ugd/b65acf_9ef9cf383f434aeeb1c6501ce873661d.pdf
    • https://static.usrfiles.com/ugd/36f25b_49d091ba9d004ef3b4b14928a30af4e7.pdf
    • https://static.usrfiles.com/ugd/b8c837_df3aa7ae4ec441c7854a68d2e09dfd30.pdf
    • https://static.usrfiles.com/ugd/b8c837_a141e5303cdf4d0892d752e5f9f955af.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d21.bin
47ee6983552e1ff873f7047b921a5584183eaeafd4c09b52c706c639a9fff6fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D21 3228 bytes
font_01_sfnt_off000058a8.bin
7fa79e91cb4bac689cbf82e119272ac58d2950120567aa30847b29bcbb052220		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58A8 5020 bytes
font_02_sfnt_off000069b7.bin
95bddf97b704c7c35ceb96e63ff648ce4889ffb77bb3e22fb2aa32472e3504fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69B7 10084 bytes
font_03_sfnt_off00008c71.bin
1bfc56e9d227e98e4fbfdd8b5970ab3c5e377386b147bf7f5f2863d5aea06441		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C71 16172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.