Malicious PDF — malware analysis report

Static analysis result for SHA-256 d34fefa14e1f5a01…

MALICIOUS

PDF

79.0 KB Created: 2020-09-03 11:42:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b9e41db3a399e1f9a6daf4c1c745e14f SHA-1: 12d209cf3dd6683f709da94728aeb4ad5234026c SHA-256: d34fefa14e1f5a01dca9ef7a1132cd3e2ba847d46b5f48472e94c4bbb649006d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/wix?keyword=important+vocabulary+english+to+bangla+pdf', which is flagged as malicious. The presence of numerous links to static.usrfiles.com suggests a link farm or SEO poisoning attempt to distribute the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=important+vocabulary+english+to+bangla+pdf
    • https://static.usrfiles.com/ugd/4b874d_1d4e077f465e4df8a47cf223d8af3792.pdf
    • https://static.usrfiles.com/ugd/79cb75_4e81f01136524642aedd52669bf05f7a.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc58c533a3854ec8a080083273e8b5db.pdf
    • https://static.usrfiles.com/ugd/18122d_a13266eae8824cac84629177fa3a4480.pdf
    • https://static.usrfiles.com/ugd/81d6a4_00b31d28b8204d59898c89c37302fd72.pdf
    • https://static.usrfiles.com/ugd/963627_3f0bae441f7c49ddb3f76f74b76aa131.pdf
    • https://static.usrfiles.com/ugd/b8c837_941a267a2d6b460f93fc17b5f551428b.pdf
    • https://static.usrfiles.com/ugd/e5cbe5_3760eaa1654a4b13823cbea2c7d91cac.pdf
    • https://static.usrfiles.com/ugd/0d002d_39170e29ee02457d89b59b85d1385814.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ffec7ef8bf841e1aef717cf53b69edb.pdf
    • https://static.usrfiles.com/ugd/2ac701_90babb9464c94b699d38284ba6c4e562.pdf
    • https://static.usrfiles.com/ugd/7f614e_faa6cf6a44884f1590428124e0114b67.pdf
    • https://static.usrfiles.com/ugd/b8c837_f401b53bf37341ee9dabd946801f808e.pdf
    • https://static.usrfiles.com/ugd/b8c837_d57c29cfbea74b18957df0616ed1d60c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a9e8.bin
8f895d062d9f7e5fc7bad6487b24aec05cac8a1a2cb3b9a2adf5d6b86ff4b616		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9E8 5808 bytes
font_01_sfnt_off0000bd87.bin
c4e617a9b04a1201247527f11b038739b4e648ecc31d74736a7cee4e17154b33		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD87 27652 bytes
font_02_sfnt_off0001021c.bin
1e1e368ffffe2bf04185f0e7cc3d22f45a4f1bbf1a7cd634bb9d8675df4584be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1021C 14412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.