Malicious PDF — malware analysis report

Static analysis result for SHA-256 de2d25771625af2f…

MALICIOUS

PDF

43.6 KB Created: 2020-09-07 17:11:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04542e05456ee333c1bcfba286cdf8bc SHA-1: e6a3922f10f703e8eca8792e01684d394d62bf34 SHA-256: de2d25771625af2ff03eaf8fa0a8ed427580fde3323419aaf17bd4ea04845e8c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=background+gradient+generator+android'. This indicates an attempt to direct the user to a malicious site. The document body, though heavily obfuscated, also contains this URL, reinforcing its role as a lure. The presence of numerous other PDF links, many hosted on static.usrfiles.com, suggests a link farm or SEO poisoning tactic to distribute the malicious PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=background+gradient+generator+android
    • https://static.usrfiles.com/ugd/83e24f_39b7ae316b5443be8aff14bd1b9f15dc.pdf
    • https://static.usrfiles.com/ugd/760101_a8f545a2108d41b99d6eb3b2ce51ae3a.pdf
    • https://static.usrfiles.com/ugd/086daf_43779c50d4594d2aae6dda8d628b7bce.pdf
    • https://static.usrfiles.com/ugd/01bc73_c6436e4a93c24fb3928d79cc96bd413b.pdf
    • https://static.usrfiles.com/ugd/4dded2_4c44bcb9de124e6c847f72da65ea23dc.pdf
    • https://static.usrfiles.com/ugd/3e87bf_4a5dff5c472e4afcb37bb720075ce11b.pdf
    • https://static.usrfiles.com/ugd/39cb9d_843cd51948b64e8fa35fecaa5ac76bdd.pdf
    • https://cdn.shopify.com/s/files/1/0432/6224/7075/files/green_lantern_corps_comic.pdf
    • https://cdn.shopify.com/s/files/1/0437/1392/1175/files/xakifidosob.pdf
    • https://static.usrfiles.com/ugd/ade4e6_b42090108b1d45279e3f03897217505e.pdf
    • https://static.usrfiles.com/ugd/7f929b_9e94e122beb44924b6fa829085173f6b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000055b8.bin
895cc5abdc1f709852dc444724c3ae75ae8dac61432a77a89bb06aa609f5653a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55B8 5012 bytes
font_01_sfnt_off000066d7.bin
4ab5e31a614b7d7c7769628276c4f2a3f7cd8b8ff0f2d31c655092b3fba639cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66D7 10968 bytes
font_02_sfnt_off00008c81.bin
a9eec97b5b710827e496770131c56e90594bab8fe6683374b951f56eb10be3d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C81 16112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.