Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2ccded2a7ee4cd9…

MALICIOUS

PDF

41.6 KB Created: 2020-08-29 19:45:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b9af66e7c27909133efb02ea59a68e8 SHA-1: 70cd89ec4ec04b56af4e503c95e5edc3cfe7ae1e SHA-256: e2ccded2a7ee4cd99d1e03585db1d2ce81471b0abfef55b6e6fd73538eee6ea4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The document body, though heavily obfuscated, contains the URL https://ttraff.com/wix?keyword=nvidia+388.+31, which is also listed as a malicious redirector. The file also contains a large number of external PDF links, suggesting a link farm or SEO poisoning attempt, with the dominant host being static.usrfiles.com.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=nvidia+388.+31
    • https://static.usrfiles.com/ugd/b8c837_9d97030adb904e1da4e1960c69db5cda.pdf
    • https://static.usrfiles.com/ugd/b8c837_f1d2c020d34c41ef80471d436125ba5f.pdf
    • https://static.usrfiles.com/ugd/b8c837_cf840f32a4434f0f821d515fb9d5e80e.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc26ae7fa3284b06949b93269be5a247.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f09115c31ba43d1998f27242f01d6c4.pdf
    • https://static.usrfiles.com/ugd/0a593f_cfdb97d11e8f48eebeb534053bc65671.pdf
    • https://static.usrfiles.com/ugd/b8c837_3266973cf40d4bb08be5c98beabdb23c.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ead4e8c8306479ab4a774814528b582.pdf
    • https://static.usrfiles.com/ugd/b8c837_79d18a12e5bf4706bb62bc5982b6810e.pdf
    • https://static.usrfiles.com/ugd/73cb9e_98b04f0c82ce472abf1318eeea6cfaad.pdf
    • https://static.usrfiles.com/ugd/ceb2e8_6497eae5316c4d9b91ccacda0352f63a.pdf
    • https://static.usrfiles.com/ugd/b8c837_7859c7c65faa4e118d26c53da8b0fea7.pdf
    • https://static.usrfiles.com/ugd/b8c837_48dfbe299e9a4f2b8cf9536bfa38540c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e44.bin
8f69cde19943b1afc20b99807dd3cbc1ba0694c76a8b3b7af3379d11c9d1cb84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E44 4984 bytes
font_01_sfnt_off00006f61.bin
9ee6e2ad5d1e75c61bdc1620bb1015b3e7496bd38508bd9441354fc9acca7cb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F61 13456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.