Malicious PDF — malware analysis report

Static analysis result for SHA-256 e36c393bccddc6c9…

MALICIOUS

PDF

44.8 KB Created: 2020-09-06 23:40:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b910090726568204337cc9097fa47903 SHA-1: 513f07830c940b91427e5475b7a77b5d5ab2d6ec SHA-256: e36c393bccddc6c9c3273bf0c6e8f0f74da7cdde30f43fd6e86e92cb44278a60
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body contains a movie-related keyword and a URL that appears to be part of a link farm, suggesting a lure to drive traffic to potentially malicious sites. The presence of numerous external links, many pointing to static.usrfiles.com, indicates a potential SEO manipulation or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=dressed+to+kill+full+movie
    • https://static.usrfiles.com/ugd/0bcf16_52716bb6666c487685a7d99e1d6416d2.pdf
    • https://static.usrfiles.com/ugd/e8e253_241ed078b9ef44efa366978986d13837.pdf
    • https://static.usrfiles.com/ugd/7c1f05_ab94c760532f45d1a23b205f75197c1c.pdf
    • https://static.usrfiles.com/ugd/64d889_8525f0f869a64a1e97992b1d6d01d9be.pdf
    • https://static.usrfiles.com/ugd/32777b_864cdcf2d8f74d0eae3efe20b659f051.pdf
    • https://static.usrfiles.com/ugd/b8bbd7_61781043baaa4293ac7bcf1fb10427c0.pdf
    • https://static.usrfiles.com/ugd/4ca7f5_28a61e2c62ee4ea1ab251cec85fc6ad6.pdf
    • https://static.usrfiles.com/ugd/3c2e2e_c5e1c03ffe0a491b8992bf711368fcf4.pdf
    • https://cdn.shopify.com/s/files/1/0437/3177/9733/files/29355636621.pdf
    • https://cdn.shopify.com/s/files/1/0433/3142/0319/files/hbr_guide_to_better_business_writing_download.pdf
    • https://cdn.shopify.com/s/files/1/0440/6178/6262/files/inorganic_chemistry_by_huheey.pdf
    • https://cdn.shopify.com/s/files/1/0434/7399/3890/files/fupejot.pdf
    • https://cdn.shopify.com/s/files/1/0435/5699/5233/files/tizunoroferezojarimuxiki.pdf
    • https://static.usrfiles.com/ugd/c345b0_cc6a8811aeff415ab2b56428c0677302.pdf
    • https://static.usrfiles.com/ugd/b8c837_4319505807b345dcafe18fd28e4b4ed3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071c6.bin
0ed4bf0f69e398febafdfb42668133e49f0d450011d1cacedf7990a9e3757366		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71C6 4968 bytes
font_01_sfnt_off000082a5.bin
5d369ce3d9fb0ce5a33a062a9bdc72e0b43590d91ff35595d805e1b56bfeaae8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82A5 10444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.