Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbb65317a11dd45d…

MALICIOUS

PDF

45.9 KB Created: 2020-08-29 04:18:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9c454cb0f59e23e33179755894e2774e SHA-1: a9ef24054ce70ada7e4142f7810e2e6202e6c793 SHA-256: dbb65317a11dd45d62e016f28a1ef29a2913c33e40a6ec29717f93e345acb3f4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits a PDF link farm heuristic, with numerous links hosted on static.usrfiles.com, suggesting a coordinated effort to distribute malicious content. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves luring users through these links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=norma+kuhling+accent
    • https://static.usrfiles.com/ugd/b8c837_9025036dbb73489ea427cea1acc51b50.pdf
    • https://static.usrfiles.com/ugd/b8c837_8ea008c2469a4efe83f8c611f4b12901.pdf
    • https://static.usrfiles.com/ugd/b8c837_0ad7e23b1585435e8d74688a4580fd10.pdf
    • https://static.usrfiles.com/ugd/b8c837_5d21d8e49165415cbea1705a388e3f00.pdf
    • https://cdn.shopify.com/s/files/1/0428/8148/2918/files/44046389618.pdf
    • https://static.usrfiles.com/ugd/b8c837_92a6cbb52b6147bfa79d947dc61c8ac9.pdf
    • https://static.usrfiles.com/ugd/b8c837_2ca350049c0a4c17966172f1d586d236.pdf
    • https://static.usrfiles.com/ugd/b8c837_e845e7b508094b5ab3c06c99b5bda7c1.pdf
    • https://static.usrfiles.com/ugd/b8c837_5aa2db9ad1eb475985b158d9acbb6a1b.pdf
    • https://static.usrfiles.com/ugd/b8c837_c0580a59b5d24efdaaf91aa64aa08d9c.pdf
    • https://static.usrfiles.com/ugd/b8c837_a2a807880bc94fa796a6c93447feb93f.pdf
    • https://static.usrfiles.com/ugd/b8c837_04040f7608d74a0495fb67801fd37b0b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062cd.bin
8e9bdbd16afa3ef158781faa5beb5e5881a8176edbb32dd7aa9679f004fbeb95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62CD 5068 bytes
font_01_sfnt_off000073db.bin
2e09be654aa01cfdc9b770acd8abc85db9fa258ebd676236b68b720d1c873018		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73DB 4716 bytes
font_02_sfnt_off00008506.bin
7c119a689774f78a15db878536bdb1b6d4cb97e08a1ea1b95bb311f440ed491a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8506 11276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.