Malicious PDF — malware analysis report

Static analysis result for SHA-256 edd6311e761d996f…

MALICIOUS

PDF

44.3 KB Created: 2020-09-08 23:41:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0009c1e1b8f42a283309fc42c97e7879 SHA-1: 24a78b8ac3371f625e0ce9a6962305386fcf515e SHA-256: edd6311e761d996fd904b72e92a278c7a80afcfbcf61bdf45db71c7a5bf2c8e5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple external links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.club/pify?keyword=investigative+report+format+pdf', suggesting a lure to a malicious site. The presence of numerous PDF links also indicates a link farm, a common tactic for SEO poisoning or distributing malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=investigative+report+format+pdf
    • https://static.usrfiles.com/ugd/55e2c6_c774de77e0cf4304bcc82e6482818089.pdf
    • https://static.usrfiles.com/ugd/39a0fd_a97d083bc3c74b8984650770987b6be9.pdf
    • https://static.usrfiles.com/ugd/93971e_1f3e2b33a0314d048f261935e0c2ef92.pdf
    • https://static.usrfiles.com/ugd/e6092c_28a861c66f944757bdccdb59f382cdad.pdf
    • https://cdn.shopify.com/s/files/1/0440/8141/4296/files/auburn_opelika_restaurant_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/4557/6088/files/70463565271.pdf
    • https://static.usrfiles.com/ugd/6908d7_930267aee9bc49b4a91f410a3ede28b6.pdf
    • https://static.usrfiles.com/ugd/9e41f0_c5b23ae1ec64441bba5f49d7449df5df.pdf
    • https://static.usrfiles.com/ugd/6f53d7_ce2127e0fbde4af3af526701d468eff5.pdf
    • https://static.usrfiles.com/ugd/5fd5c1_b9e4ac64e8124fe488ea282278b72846.pdf
    • https://static.usrfiles.com/ugd/4f270c_de3ebacdece9492cb92c4db414dcc566.pdf
    • https://static.usrfiles.com/ugd/b8c837_8049b98673904312b7b2d5c28064677c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000700e.bin
1e04cf53bb23563c579fa5c2094a95385c8c78ddad70fe1ce0be848af443a8ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x700E 5324 bytes
font_01_sfnt_off00008220.bin
15d4363efd5bec0b163903b9cf56e09541e1edb71b6df6a3828711086a29616f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8220 10028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.