Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb8653344395f197…

MALICIOUS

PDF

41.2 KB Created: 2020-09-01 03:12:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b72d90390884c0e143d8d4533b8d28e4 SHA-1: ebb966cb42701dc31d7fd97a2f0616bcf2c7e821 SHA-256: fb8653344395f197c83bde8d88ebadcf5a6c44debb67d57e1ec6e8b6ca06c587
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=acceleration+calculation+worksheet', which is flagged as malicious. The PDF also features a large number of external links, many hosted on static.usrfiles.com, suggesting a link farm or SEO poisoning tactic to distribute malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=acceleration+calculation+worksheet
    • https://static.usrfiles.com/ugd/b50c55_7c352ea8148a4b11ba8a58844b3b64ec.pdf
    • https://static.usrfiles.com/ugd/b8c837_7cd07d6a290341e78b8e927004c7b71b.pdf
    • https://static.usrfiles.com/ugd/09c3c7_b6b46666ea1b40968e0deb9dda151d93.pdf
    • https://static.usrfiles.com/ugd/22bf55_7b437c07dd484fb5b94cc3e43ed087b7.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/90841244024.pdf
    • https://cdn.shopify.com/s/files/1/0429/6255/0940/files/77755859278.pdf
    • https://cdn.shopify.com/s/files/1/0438/6160/6550/files/binulexakesomodezaba.pdf
    • https://cdn.shopify.com/s/files/1/0428/9665/4489/files/22640559114.pdf
    • https://static.usrfiles.com/ugd/b98abb_6bd72765e4224c698ecd662f85838510.pdf
    • https://static.usrfiles.com/ugd/e8506d_115dbb9f68944563a045d3492cf20ed2.pdf
    • https://static.usrfiles.com/ugd/5926b4_cb5865ad941b418b982b9355b227aeb0.pdf
    • https://static.usrfiles.com/ugd/fd3290_f846e3abe764430dba84efbd89624e99.pdf
    • https://static.usrfiles.com/ugd/b8c837_d3faba924c5144b0899bbc2da6b149b6.pdf
    • https://cdn.shopify.com/s/files/1/0441/2401/2696/files/15126904514.pdf
    • https://cdn.shopify.com/s/files/1/0431/2032/8864/files/povoduxafuxulukapenojizuv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006300.bin
685cf5f459c9dcf69bd0e531a658b290629b69cb2716df17d93110736dd768f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6300 5032 bytes
font_01_sfnt_off0000742a.bin
b57e9a510905e9c68024bf5290481f9d9d82ef8592ef9fa08df45c2198600d00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x742A 10488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.