Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5d314bfc613059f…

MALICIOUS

PDF

45.2 KB Created: 2020-09-02 00:46:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03d6c1996743b9574c1d26fe301ea899 SHA-1: 60c7818d914fa2093af94e508ff45f4daed697c2 SHA-256: f5d314bfc613059f03333a2ef060fa94ee69ec2a41bbfc436b63810a23f50654
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.ru, which is disguised as an online ATM form. This suggests a phishing attempt or a lure to download further malicious content. The PDF also contains a large number of external links, many pointing to static.usrfiles.com, indicating a potential link farm for SEO manipulation or distribution. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=boi+online+atm+form
    • https://static.usrfiles.com/ugd/3de8a6_ed566c5078bc4a40a0e3d0f9adec1abb.pdf
    • https://static.usrfiles.com/ugd/e23fbb_8675a340f7e44ada86ee61f591eba8b4.pdf
    • https://static.usrfiles.com/ugd/e4ff69_92504800005945349aaea9981714c5bd.pdf
    • https://static.usrfiles.com/ugd/a48928_b72ae7a28c324f599bec60ac2e5b66e1.pdf
    • https://static.usrfiles.com/ugd/ee6100_9989b1b6468b46c48cc6eb8b507ef459.pdf
    • https://cdn.shopify.com/s/files/1/0433/8502/8764/files/supercalifragilisticexpialidocious_broadway.pdf
    • https://cdn.shopify.com/s/files/1/0466/2611/1653/files/musepavagesusixolod.pdf
    • https://cdn.shopify.com/s/files/1/0428/1755/2543/files/tunevividubodapopu.pdf
    • https://cdn.shopify.com/s/files/1/0430/7976/2073/files/length_of_a_string_c.pdf
    • https://cdn.shopify.com/s/files/1/0434/4699/3063/files/nafololesuxopifam.pdf
    • https://static.usrfiles.com/ugd/a771bd_eb18f0cbc4704db8aa9b38665ace8647.pdf
    • https://static.usrfiles.com/ugd/162fe6_ad2d46dd40014e1ea9e8fbc79ce2c953.pdf
    • https://static.usrfiles.com/ugd/2f3ac6_fa94db9985f148e99e31fc26a9eaa012.pdf
    • https://cdn.shopify.com/s/files/1/0433/8401/2956/files/49061114273.pdf
    • https://cdn.shopify.com/s/files/1/0431/7567/4024/files/gutupu.pdf
    • https://cdn.shopify.com/s/files/1/0428/3577/1558/files/1773584352.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007288.bin
2745d84c6aed29155ddc66e5daa9307764ad682993145a82bffc363a35346bfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7288 4784 bytes
font_01_sfnt_off000082b7.bin
9d7db706e3ce1ca529794d26f00c95f076216ae3570d725a1aa9d89991d6e859		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82B7 10920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.