Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9dfd579a9f40946…

MALICIOUS

PDF

53.0 KB Created: 2020-08-31 03:33:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c7c54b695ae30301efc6d3c81afc6d5 SHA-1: 39a705deba7217e7c6c1066bd169f22050882944 SHA-256: e9dfd579a9f409464a6fe23409d4c9cb55f43f390b3e08f24275b2f0f31fa8d1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised with a keyword suggesting adult content. The document body, though heavily obfuscated, contains the same URL. This indicates a phishing or scam attempt designed to drive traffic to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=escort+near+me
    • https://static.usrfiles.com/ugd/b8c837_008fd272bb57404784e4a5b0f62817a9.pdf
    • https://static.usrfiles.com/ugd/b8c837_53e8f6c744ad4c91b07e0a08e93016c5.pdf
    • https://static.usrfiles.com/ugd/b8c837_1f629cc0bc584e1088d5d1d04d2847f5.pdf
    • https://static.usrfiles.com/ugd/bfbc46_beaf1de14a7c42828938759745ddc92f.pdf
    • https://cdn.shopify.com/s/files/1/0429/7441/2949/files/tudokiwotexagokupi.pdf
    • https://cdn.shopify.com/s/files/1/0432/9157/4430/files/character_picture_grid.pdf
    • https://static.usrfiles.com/ugd/b8c837_f0c0193e9c7246ddb5585ce6045ff1ff.pdf
    • https://static.usrfiles.com/ugd/b8c837_d1850561e9a84fc1acdab69ed9269913.pdf
    • https://static.usrfiles.com/ugd/8e1900_7364473806ee4a8da4036bd84f1c13e4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052cd.bin
1dcf85c519529762832086d2f87f440e9f44a1fa6bdae674a552f4b5039b32d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52CD 6712 bytes
font_01_sfnt_off000063bc.bin
14fce5c028e555229cb001eab5a6984a8e8c1941887c167d5267bb7705830aa5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63BC 4868 bytes
font_02_sfnt_off00007424.bin
dea0cf79f30119c991e0953e3f1586f9b295b00e4a11496e2caf1af243cd7dff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7424 6436 bytes
font_03_sfnt_off00008a4c.bin
deb3fdb18c7371c0285a2888bcb24c3053eb85de104528eaea5a03a479819773		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A4C 12168 bytes
font_04_sfnt_off0000b1d2.bin
89d88174a6941e29d95412da3dc50f63e5666a45f2fca69c828f67d7ba3b84f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1D2 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.