Malicious PDF — malware analysis report

Static analysis result for SHA-256 f46ce1ccf7984d01…

MALICIOUS

PDF

40.4 KB Created: 2020-09-08 06:18:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02c41e72e6c3dc5c6a4cdd24f1cb6591 SHA-1: 674a36fa1854c878e2e62844e4cbdd578da90474 SHA-256: f46ce1ccf7984d01b44d0c74032b59b553647cece6d4cae9570d2352d26b61a0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a malicious redirector link that masquerades as an offer to install a Play Store app. This link, 'https://ttraff.ru/wix?keyword=play+store+app+free++and+install', leads to known malicious infrastructure. The document also hosts a large number of external PDF links, suggesting a link farm or SEO poisoning tactic. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=play+store+app+free++and+install
    • https://static.usrfiles.com/ugd/0c60a0_30f582b1acec4a0e9d925c4953ba1659.pdf
    • https://static.usrfiles.com/ugd/dcc11b_ae7622b14dc6472684d7810ee85d9827.pdf
    • https://static.usrfiles.com/ugd/0a0016_d40b410a23614157a5b295da5303179a.pdf
    • https://static.usrfiles.com/ugd/61804c_b9383eaee93a4129a3b23ae865e134a8.pdf
    • https://static.usrfiles.com/ugd/2ac701_5d44301f9cda432fab47f2faddb3c16f.pdf
    • https://static.usrfiles.com/ugd/5f226b_6605025024c64496899a94103e2e430a.pdf
    • https://static.usrfiles.com/ugd/b8c837_16a197206b3d42e798e881b61fe74dd9.pdf
    • https://static.usrfiles.com/ugd/6f53d7_9cc0a098bf67417b8a6eb4c335b2f98c.pdf
    • https://static.usrfiles.com/ugd/027f51_f6f4e72cc4014babb00c48a6e060cdd3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006130.bin
5a19ffd864bb5785ea61f9f721197a673b6bc7f03fce9de067b51ac176751a59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6130 5140 bytes
font_01_sfnt_off000072c2.bin
03007f9a25097255e8c3106aba74bc2435cc8d64bd6ca2050845df5566dd08df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72C2 10004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.