Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0ef98365e5103ea…

MALICIOUS

PDF

37.0 KB Created: 2020-09-07 11:20:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b783439cf4edd6b7ac97be4b95a513ef SHA-1: 49b45d93917f66912aa7e8bb3dcbdf0cb1325e72 SHA-256: e0ef98365e5103ea9c7226bb367360ad01d238d1f899ac40441816d8c2f16832
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.link/pify?keyword=picsart+apk+uptodown+2018', is designed to redirect users to potentially harmful content. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to static.usrfiles.com. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=picsart+apk+uptodown+2018
    • https://static.usrfiles.com/ugd/2e79a6_c8959d6265c24273b1a64903b8bb4408.pdf
    • https://static.usrfiles.com/ugd/4d935e_797557df3ed1427ba958fd1815d304c6.pdf
    • https://static.usrfiles.com/ugd/dc98cc_9a3b20e0e33a4beea15f9627d6ed4a05.pdf
    • https://static.usrfiles.com/ugd/286fb8_f276365c4a1042c99452cf7e42936152.pdf
    • https://cdn.shopify.com/s/files/1/0429/3319/0823/files/bushfire_compliance_certificate_template.pdf
    • https://cdn.shopify.com/s/files/1/0434/1353/6925/files/zexifibowowomigowerosiro.pdf
    • https://static.usrfiles.com/ugd/017c44_ab67c18f731842c1b8049e3ee91338d2.pdf
    • https://static.usrfiles.com/ugd/ac72e0_7cdf10f8b44544d795ad8acfb1926775.pdf
    • https://static.usrfiles.com/ugd/b1dabf_98047907413845ae9c59c1ff44e7d009.pdf
    • https://static.usrfiles.com/ugd/b8c837_08e756bc544b49d0911562dc1fd8912a.pdf
    • https://static.usrfiles.com/ugd/aa14a9_ea6af57caa6b43e290952ed27b5193d9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005216.bin
9fa33c2608d1d799a053da3a3be95cc7163153e883235c06293e74909badc532		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5216 5712 bytes
font_01_sfnt_off000065b1.bin
77c949675daec55840def62668de92a858f3dc726fa1c854258d868254d5b6f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B1 9988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.