Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9028125302b2313…

MALICIOUS

PDF

38.0 KB Created: 2020-08-30 12:13:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 000f2ae7fd0227aaa7cbc34cc3f2b200 SHA-1: 8b69a45c0d9cf0c1f89351c364bb2be21779ea1a SHA-256: e9028125302b231360c4d94d58083a4a1bb43d97f631afe9f38700d69f4f7e6b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is likely used to lure victims into a phishing or scam campaign. The document body, though heavily obfuscated, contains the same URL and a reference to 'oil change chico ca', suggesting a deceptive lure. The presence of numerous external PDF links, many hosted on 'static.usrfiles.com', further indicates a link farm designed to distribute malicious content or improve SEO for malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=oil+change+chico+ca
    • https://static.usrfiles.com/ugd/cf79db_283733dc0bb44419a6d58bf04b10bb67.pdf
    • https://static.usrfiles.com/ugd/b8c837_c76a66380c9f4b50990411721f5d42fe.pdf
    • https://static.usrfiles.com/ugd/b8c837_f0cd584adfd84226944bf179f5467e41.pdf
    • https://static.usrfiles.com/ugd/daca0d_933d043f57594913a3697a284ceac981.pdf
    • https://static.usrfiles.com/ugd/405339_900a32b974f2419abad7ad0bab24bea6.pdf
    • https://static.usrfiles.com/ugd/b8c837_0265392217ca4d0c9113f8cf1b3a9dd3.pdf
    • https://static.usrfiles.com/ugd/3f80ec_8487d3ce10ea4ef9a77df16c80be9754.pdf
    • https://static.usrfiles.com/ugd/2e16aa_a10c159c5ca9448186d654fc23f88dad.pdf
    • https://static.usrfiles.com/ugd/4cf28d_ac68ffd97ac248afb99794c65efa1657.pdf
    • https://static.usrfiles.com/ugd/c0fca2_d8a72467a558480bb86e12c37a89d36a.pdf
    • https://static.usrfiles.com/ugd/09273f_2cccb36819d44ce89a80cc384cb1a47c.pdf
    • https://cdn.shopify.com/s/files/1/0439/1141/3915/files/25130298521.pdf
    • https://cdn.shopify.com/s/files/1/0434/6521/2066/files/13082988294.pdf
    • https://cdn.shopify.com/s/files/1/0440/2338/2166/files/anjana_anjani_movie_songs_pagalworld.pdf
    • https://cdn.shopify.com/s/files/1/0433/3423/8362/files/github_upload_image.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005800.bin
f5a96cbea5f4bd22a987c5d9d031a1ecaf5ad10f813d38e73a4adba3e7290b59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5800 4812 bytes
font_01_sfnt_off00006853.bin
c461d1c7c7ec8b5114954085a76d6fdbcf972cafb1cddbd9aa017967d3553cb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6853 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.