Malicious PDF — malware analysis report

Static analysis result for SHA-256 f39f0cf21a247422…

MALICIOUS

PDF

38.3 KB Created: 2020-09-21 00:20:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0d23fff268072418d655088d7b4ecd6 SHA-1: fb9a5699cdaf5c8f379518d6a633672b187b5526 SHA-256: f39f0cf21a24742244c728f9272d4d06d55d2c76a319dec034babb13df6b94b8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a critical heuristic firing for a malicious redirector link. The primary malicious URL identified is https://ttraff.me/wix?keyword=batman+telltale+trophy+guide, which is likely intended to lead the user to a malicious site. The document body, though heavily obfuscated, contains references to this URL and other PDF links, suggesting a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=batman+telltale+trophy+guide
    • https://a6422404-db27-4d15-ba10-faaaa81bbc07.filesusr.com/ugd/dc8a8e_7c28eb224a7e49d28da3126198935f2c.pdf?index=true
    • https://043fca62-4dde-4d9f-84e9-63a8232f2f1e.filesusr.com/ugd/3e9e83_b5ff166754c84ff08ce3ce70b41ac3ed.pdf?index=true
    • https://f4a93144-8f55-4e9b-b973-1b52567e1859.filesusr.com/ugd/6f7357_89fe31375998487e8a4949d626a76d5c.pdf?index=true
    • https://d0ab436f-3c52-497b-8d5a-0f3049698ef3.filesusr.com/ugd/2f3ac6_f64a8ded988b45c48318b31d067d2d82.pdf?index=true
    • https://cac5e679-db6a-40c5-a223-0c7828f58c55.filesusr.com/ugd/a91264_11c5dd8c2b5e4580ad8e20bbb3b2e45b.pdf?index=true
    • https://f75c7381-fdf1-47bd-a493-14fea68f17c0.filesusr.com/ugd/0d2fda_805b62f7b0d04910af399c902f22a791.pdf?index=true
    • https://3251f340-8eb6-4b7f-a120-2fb4bc5d2789.filesusr.com/ugd/5ed537_dabcdbb2a2c4463fb8f22e06c504223c.pdf?index=true
    • https://b6856052-8bd7-47db-8bae-e8a7a01c4661.filesusr.com/ugd/cf9ff1_5cd08a467112438ab2513f42caeda726.pdf?index=true
    • https://e907affc-7b36-49dc-8be5-e7d27a1cacc2.filesusr.com/ugd/3bca44_d36f174a9a5643cc9258f952eaae4a20.pdf?index=true
    • https://fb73f1f8-c49e-40d6-b007-3e5f76101d55.filesusr.com/ugd/0ebc1f_8c8522b76ae84741a8a8c08371e7677a.pdf?index=true
    • https://b74e340b-2c1b-4f9c-b6b6-1dde12d9a1bc.filesusr.com/ugd/efc97f_263848b278dd4c4896edd32fb7cd3143.pdf?index=true
    • https://35b654f7-c38b-4740-97ab-a95fcde384fe.filesusr.com/ugd/868f76_46e4049bc3254eec9a3c1b3a09dc4803.pdf?index=true
    • https://f3d65c45-b73b-4750-ad71-59c60091f19f.filesusr.com/ugd/76aeb6_3517230e64d04b87a9c0fee9419ce4a7.pdf?index=true
    • https://af7eeb63-52ae-412e-8961-9c9852234324.filesusr.com/ugd/9c58c5_2708fe4376b241b0ba4e9a75dfe42a0b.pdf?index=true
    • https://0cf93afd-e915-4ab5-81a7-2e21a6cf3578.filesusr.com/ugd/934fc3_994598d0be0b417e8972055cc0cdad86.pdf?index=true
    • https://2ba5b2d3-43ca-4889-ac34-9a1f34ff64c6.filesusr.com/ugd/3f0e57_d9f8d239fbcd446b826584438deda1f4.pdf?index=true
    • https://2391536d-8296-442b-a71e-c7d27f6a7362.filesusr.com/ugd/8da65f_686c0c7e14404c8fb2793e19d2fdf5f3.pdf?index=true
    • https://8aa66783-3e78-4dfe-a478-c764a3b8df9c.filesusr.com/ugd/c2bf0a_ae4e6c2089514637864d99080d3adba7.pdf?index=true
    • https://06aacafa-7386-45f1-9cfa-cc4b7114829e.filesusr.com/ugd/3254bf_35d9315f383b4459904a7a77356e2d21.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://af7eeb63-52ae-412e-8961-9c9852234324.filesusr.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005698.bin
0891bbce5e2a30516140f4d17d26de86d023f8aa49f32a915797f72068ddbc97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5698 5344 bytes
font_01_sfnt_off000068a3.bin
fb42b203fed86f460e42f02ae33cb1e7b1532997adea17d7e4bc190b52b56181		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68A3 10404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.