Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc9bf8e931728bfa…

MALICIOUS

PDF

44.0 KB Created: 2020-09-01 02:47:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ed12c3b4fb16a7c70c86214aa28499d2 SHA-1: 23ab60fb07c182a69a0adec712cfbb7fbeb747de SHA-256: dc9bf8e931728bfa6610e8831368f5605aaebdb29531d234dbe3b9a351ff4679
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious due to its inclusion of a link to a known malicious redirector. The document body contains numerous links to external PDFs hosted on static.usrfiles.com, forming a link farm. The primary malicious URL is ttraff.ru, which is likely used to funnel victims to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=pyromancer+guide+dark+souls+3
    • https://static.usrfiles.com/ugd/1be480_fff54b6eed80429380a6526ec7f3594f.pdf
    • https://static.usrfiles.com/ugd/b8c837_3f6e0a5b89b14037a7c44b6d91043543.pdf
    • https://static.usrfiles.com/ugd/b85eb0_cb3005f5ad654adc89c4908e8f0b73a1.pdf
    • https://static.usrfiles.com/ugd/b8c837_c3f3980ecb40432683dddd56453d5a04.pdf
    • https://static.usrfiles.com/ugd/b11f6d_b849df4d03bc44e48562050d9a7ba46f.pdf
    • https://static.usrfiles.com/ugd/3e87bf_bd1153d610b2442da7784173d8d143cc.pdf
    • https://static.usrfiles.com/ugd/7e0eb0_ff31b12a9c42430ab3ca9eee6ffd9d10.pdf
    • https://static.usrfiles.com/ugd/8a419d_ad333d44b0df41778b059fb21a0f8adb.pdf
    • https://static.usrfiles.com/ugd/3bcfef_de2cd79f3b95489dbfa2d4c10f9625d9.pdf
    • https://static.usrfiles.com/ugd/b8c837_2100d23ced5a494985e5751a87342560.pdf
    • https://static.usrfiles.com/ugd/aef5b7_e01ebc432dd54ef79b7504439a21e0df.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e78.bin
66272f9e173700c2b2a53c1ec287d0fb0e64657a6c7ad155e11008ae70ff0990		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E78 5588 bytes
font_01_sfnt_off0000816d.bin
792174d45f0685196d074080205dab9308c55e0808f04a1e89adc33c05435b18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x816D 10044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.