Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea522b880de43a8d…

MALICIOUS

PDF

45.2 KB Created: 2020-09-01 18:59:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3dbdf5041de77caef24d83e1ed64c91 SHA-1: c2a8339762fd225e4dcfd58e270ccd543c93bfc7 SHA-256: ea522b880de43a8d7358b5a12cea7b4c5bdf246f42eaee3b9f1c239791325737
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link to 'ttraff.cc' which is flagged as a malicious redirector. Additionally, it hosts a large number of links to external PDF files, many hosted on 'static.usrfiles.com', suggesting a link farm or redirection scheme. The document body, though heavily obfuscated, contains the text 'Swiss food guide' and the malicious URL, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=swiss+food+guide
    • https://static.usrfiles.com/ugd/9734e7_b72c2ab9514846fd93383b5d3b13b6aa.pdf
    • https://static.usrfiles.com/ugd/b8c837_4837f17f7607410984a5227fcfd4af4e.pdf
    • https://static.usrfiles.com/ugd/221eaa_de9d09b7f2454c75b27a81392ec23f86.pdf
    • https://static.usrfiles.com/ugd/122077_4c8b323246da4bf185ca414bb99cdc0f.pdf
    • https://static.usrfiles.com/ugd/b8c837_82dd0b4838554551a9e9468b73b2aab4.pdf
    • https://static.usrfiles.com/ugd/b8c837_bde519b93aa7410cbf80b3194cbfbfd7.pdf
    • https://static.usrfiles.com/ugd/9cc572_5f2785368ebf4d02ab26e29a84807d9a.pdf
    • https://static.usrfiles.com/ugd/12f4eb_83f04254f3b34738a023cc1c140428e0.pdf
    • https://static.usrfiles.com/ugd/b8c837_56651e16c1894a7dbea5127926c6d992.pdf
    • https://static.usrfiles.com/ugd/e02969_fb4e99b75d8841ee9b399f17a0bf2d09.pdf
    • https://static.usrfiles.com/ugd/3b47cb_a6c52c6fa60a43b29437d062d91d19c6.pdf
    • https://static.usrfiles.com/ugd/b8c837_01abae187c814641bd7c5b67a3d3278f.pdf
    • https://static.usrfiles.com/ugd/5b9a87_821d101a432c4aedb98f60232a354bbb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074fd.bin
711cc0e83abd79c9c220b6845a9a5d311b7563cb6d32f0596dc2df578cd9ce82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74FD 4932 bytes
font_01_sfnt_off000085f3.bin
55d8a90b15a1e8240a1e5dca689babb01ecd98eaff3a9982ccbfded2033dc390		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85F3 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.