Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1a2a5e16ec6f90d…

MALICIOUS

PDF

45.8 KB Created: 2020-09-01 01:12:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 06b106416a3b9c65ada66c39dea77be9 SHA-1: 27987dcd3d591ab3e0eaa6f63a899b1584be3bac SHA-256: f1a2a5e16ec6f90dbd4efdf8b817622760f33c310dfeb566c1d60d427e655233
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, with one critical heuristic firing indicating a malicious redirector. The primary malicious URL identified is https://ttraff.com/wix?keyword=huawei+gpon+olt+configuration+guide, which is likely used to lure victims. The document body, though heavily obfuscated, contains references to this URL and other PDF links, suggesting a link farm strategy to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=huawei+gpon+olt+configuration+guide
    • https://static.usrfiles.com/ugd/b5472a_fa3b054a9cf549ac840712edcde310e4.pdf
    • https://static.usrfiles.com/ugd/735424_437f5490539a4fad83bab08f1feb5a31.pdf
    • https://static.usrfiles.com/ugd/b8c837_f7d901285f5b407ca264dc20b77830cf.pdf
    • https://static.usrfiles.com/ugd/4e6dd5_ba5ea603de234b64b22abfc9fd3314ca.pdf
    • https://static.usrfiles.com/ugd/cac9e4_f9251ce802ae4f0eba7cf9ab5e90f8d9.pdf
    • https://static.usrfiles.com/ugd/3be3a7_2c8c4ea4326b453ea5dfbe017974a089.pdf
    • https://static.usrfiles.com/ugd/48f461_f68b9dd578c44182a05ae56c2d14fac5.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b35804b4e1b42b0b027bcbe58865553.pdf
    • https://static.usrfiles.com/ugd/c3f59f_dd37224fcd93405e93d371d8019783c0.pdf
    • https://static.usrfiles.com/ugd/b8c837_5764c5704b104971b7c20ceee43ed0e0.pdf
    • https://static.usrfiles.com/ugd/e5cbe5_debfc35444394b56be2bebc20b7d2532.pdf
    • https://static.usrfiles.com/ugd/63d3ad_54bbe9e7651243f9ad26c94c697f02ce.pdf
    • https://static.usrfiles.com/ugd/ea2f88_7ca2007cda244264929a644c075edac4.pdf
    • https://static.usrfiles.com/ugd/b8c837_8a4153a7e19d47fa837278ad535180e7.pdf
    • https://static.usrfiles.com/ugd/599026_32de19f8cab042a2b01b107ec9b4de32.pdf
    • https://static.usrfiles.com/ugd/6f9b04_5c25afeae1824dd1b9800642d5b8ff37.pdf
    • https://static.usrfiles.com/ugd/7603ae_afb2543048c24aab89666c47722fdfef.pdf
    • https://static.usrfiles.com/ugd/0ebc1f_fd52f4c38e204d8fbe36370531e20872.pdf
    • https://static.usrfiles.com/ugd/fb83f1_976606a0df2a49ac9eba41dbef94e392.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000687c.bin
2ebce2484d10a8b6408a03b0b915c5cfb764c970b2c722633fc25ef92cd47d6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x687C 5080 bytes
font_01_sfnt_off000079dd.bin
17b590a77f00efd0bc96fd1861575a346e35dc7dc9ed736f9bf5149c0bfcd6c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79DD 10052 bytes
font_02_sfnt_off00009bfd.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BFD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.