Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcc2951efe53139a…

MALICIOUS

PDF

54.5 KB Created: 2020-09-02 06:26:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9d615983472c58170ae85c64899f4d42 SHA-1: b0c00c448c2497700a6489c6c8846f4dd117cb01 SHA-256: dcc2951efe53139aa6eaeeb5e5c379287f3d5a16e531dcb9722a5c379c1330c5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious by an ML classifier and contains a large number of external links, indicating a potential link farm or redirection scheme. One of the embedded URLs, 'https://ttraff.club/wix?keyword=performance+parts+for+dodge+ram+1500', is identified as a known malicious redirector. The document body, though heavily obfuscated, contains this same URL, reinforcing its role in the attack. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=performance+parts+for+dodge+ram+1500
    • https://static.usrfiles.com/ugd/76dd3d_561886cb3d78423e81351827d01854d9.pdf
    • https://static.usrfiles.com/ugd/0b46e6_b48508a234b84cf69c2bb90ff5cdf1df.pdf
    • https://static.usrfiles.com/ugd/83e24f_3128cedd5fe64a7fb845ba794eda6dae.pdf
    • https://static.usrfiles.com/ugd/3e7897_0d2dc4ca89364c7fa5c02dc4277c5857.pdf
    • https://static.usrfiles.com/ugd/17beed_0a378adbdd12402584a5296323f595f4.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd536a2a81474067928e9b4219d4662d.pdf
    • https://static.usrfiles.com/ugd/9757e7_3a09da005fa64f2984e97b97259e547b.pdf
    • https://static.usrfiles.com/ugd/edb4a7_7cd1d3f73bfc496da9ce1d0261d1cdb0.pdf
    • https://static.usrfiles.com/ugd/8dde66_250ceacf17a14daba5d74d4372d83c71.pdf
    • https://static.usrfiles.com/ugd/ab059d_5a41b2ec5577443a950a982b015a88d1.pdf
    • https://static.usrfiles.com/ugd/b8c837_1587aea5e0934618be9b5e73dd47a9df.pdf
    • https://static.usrfiles.com/ugd/8a419d_e8acd631d8d74ee38a2f53cf3cf886da.pdf
    • https://cdn.shopify.com/s/files/1/0428/2771/0630/files/19033470518.pdf
    • https://cdn.shopify.com/s/files/1/0437/2601/2567/files/todd_lammle_ccna.pdf
    • https://cdn.shopify.com/s/files/1/0435/4031/6311/files/miwimogemofi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009400.bin
58141baefa0516590411f79f40b2b4a0784dbb787f539c57f24e1f2628b7f185		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9400 5764 bytes
font_01_sfnt_off0000a790.bin
5c8174e042300553f9847604b68f546e244afaccfece10762a3847bff9d32d7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA790 11100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.