Malicious PDF — malware analysis report

Static analysis result for SHA-256 e873f039a84dd33f…

MALICIOUS

PDF

44.9 KB Created: 2020-09-16 19:40:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03dbf7f344fce6b314c352d385d4766c SHA-1: 2f394b388938e38c0640b7b06d9464571237f077 SHA-256: e873f039a84dd33f210f8b0f18a97c7a08c0457de5d523d444eebf3b5b67603f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=swerve+drive+control'. Additionally, it exhibits a PDF link farm behavior, with 19 external PDF links, likely for SEO manipulation or to host further malicious content. The ML classifier also strongly flagged this PDF as malicious. The document body contains garbled text but includes the string 'Swerve drive control' and the malicious URL, suggesting a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=swerve+drive+control
    • https://785ecc1e-cc6a-4243-8efc-85598889fdb0.filesusr.com/ugd/237bf7_49540846a39e4dfaaa730657f842cc1f.pdf?index=true
    • https://6e74b444-fe16-4d56-9a98-7a604e79b01f.filesusr.com/ugd/defcb2_26674211966344d08d4502a34bf51c8a.pdf?index=true
    • https://5a64510a-3352-441b-a8f7-d80ef7983014.filesusr.com/ugd/8da65f_77eb815a4aa84fce9fc489812e9fd7cf.pdf?index=true
    • https://5a839022-31d0-4245-a2bf-0d711586f379.filesusr.com/ugd/622218_4906bda96fbd40b7ae9e8bf3120fc28b.pdf?index=true
    • https://eaa80c8e-8ae6-4143-8b3e-36f1957534ca.filesusr.com/ugd/4a2613_1c44592abe354605914ddbbad7e5d895.pdf?index=true
    • https://dbd2abb5-ad30-4453-81a2-3ad55bb04f2f.filesusr.com/ugd/d5cf39_e3b068bf04d04b2a83aff53c5d6daee9.pdf?index=true
    • https://f45cbc53-081c-48c3-9451-f1868592e65e.filesusr.com/ugd/6f7357_1a1eeb036f8d41589db788149e24b3b0.pdf?index=true
    • https://099b90b2-467a-49bd-a764-0cf611556043.filesusr.com/ugd/58a813_29b08158a8f341f49e338b594473ed43.pdf?index=true
    • https://d56e4447-a3eb-42dc-b6a4-ef6dda2d412c.filesusr.com/ugd/c722c2_d3ff32b265ef4ef489e68b257ca630b3.pdf?index=true
    • https://8809969c-2c79-4e61-b552-74cf05d90804.filesusr.com/ugd/158fb9_8475477a780f41adad1c6027c10a61b8.pdf?index=true
    • https://d83f5934-f8b5-4448-a615-24e663452812.filesusr.com/ugd/834936_be8349ab439e40afbab326513de2016f.pdf?index=true
    • https://be9712b7-ddfe-4c98-86af-fa958f750902.filesusr.com/ugd/dc8a8e_a89011341312420b9421ec2a6867e7f1.pdf?index=true
    • https://55c86484-7a67-4f74-adcd-2c799e53ee51.filesusr.com/ugd/c638b7_3775c60f8bca4a53b2cecf319a7065a3.pdf?index=true
    • https://ae212598-fe26-4513-a83a-d41bf96b43cc.filesusr.com/ugd/73c254_3bd0bd749f924f6890fb0831ea94cd11.pdf?index=true
    • https://676f7d06-2ed8-4ffd-ac2f-cd41d27ee609.filesusr.com/ugd/384ea4_a4801e24ba4842ada097278a33275782.pdf?index=true
    • https://3bcc7913-8475-43c2-8fbb-81c619dae966.filesusr.com/ugd/17beed_ee7c64ac41f347fb88c9f989db37af50.pdf?index=true
    • https://3d9f1282-5095-4667-a243-0dff7c462ded.filesusr.com/ugd/4aae87_bbfd4b5b987249508f8b58aa2b66db3b.pdf?index=true
    • https://47608300-8590-46b4-9fe4-1dc8e3843566.filesusr.com/ugd/9d869b_332dec52176c4e09a31fbd07ca505b4d.pdf?index=true
    • https://9d4365de-6f89-4c72-9986-ba665cc3e689.filesusr.com/ugd/9e41f0_0d6854c1fee54f0c92ba782bf6a61a9a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://55c86484-7a67-4f74-adcd-2c799e53ee51.filesusr.com/ugd/c638b7_3775c60f8bca4a53b2cecf3

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006631.bin
c44c8d8f8de0580d4d027857c631cc57a94e93a940a2f4269d261cd1e65ddbbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6631 4588 bytes
font_01_sfnt_off000075dc.bin
7d73b207d2f64ffd9a57fa3f2bd1fa8e16119fbb0e9fdc6fca904b9c723c0264		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75DC 10128 bytes
font_02_sfnt_off00009894.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9894 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.