Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc6afb1982b45eb8…

MALICIOUS

PDF

43.7 KB Created: 2020-09-05 13:31:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03cb51401d14df10ba0f533e80942587 SHA-1: 0c9d4ba89173b24a17614c143839933a6d58db6e SHA-256: fc6afb1982b45eb886acc75ff4303475028a17a8813ee8cfbfc2b808cbc5d435
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a prominent link to 'ttraff.link', a known malicious redirector, disguised with a keyword related to Android development. The document also features a large number of embedded links pointing to 'static.usrfiles.com', which is identified as a link farm. The ML classifier strongly flagged this PDF as malicious. The primary attack vector appears to be social engineering through deceptive links within the PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=android+studio+app+version+code
    • https://static.usrfiles.com/ugd/3aca14_ecde3484d93e458bb31f3fd3d9b91dc4.pdf
    • https://static.usrfiles.com/ugd/3cb6cb_e4cf871111c440d6b46babfd3b98784e.pdf
    • https://static.usrfiles.com/ugd/b8c837_161157c80ca949628ceda4d1d843ee1f.pdf
    • https://static.usrfiles.com/ugd/5438e3_ea8569487abc4d15abd2672fc94f9561.pdf
    • https://static.usrfiles.com/ugd/ca300b_b596b6a8af63420bb704ad470e191569.pdf
    • https://static.usrfiles.com/ugd/53c654_2850202014e74a44a210fad81670d7ae.pdf
    • https://static.usrfiles.com/ugd/5bf82b_eac17f63dc264782be3c59ac5f8f3106.pdf
    • https://static.usrfiles.com/ugd/a4e402_cd9c6305b03c44c58d52823c2548d3e9.pdf
    • https://static.usrfiles.com/ugd/d32f78_06610d837f544a66a1de07cdd0ec0be3.pdf
    • https://static.usrfiles.com/ugd/bd1fc0_4b97b5bfa32440939a33c449bfbfbb8f.pdf
    • https://static.usrfiles.com/ugd/70c1f8_87d21eb2b97942619a7959097a2d1aa0.pdf
    • https://static.usrfiles.com/ugd/4c3ae3_fd2a1be14830444cb223f0ac01cd741e.pdf
    • https://static.usrfiles.com/ugd/5af86b_664744c9d0fe4a24a6921394ead5fb57.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dff.bin
3fd48f6f6d7371bf380af5fd749e2b2929fe5bab6f0cfe4481ebd8dc046c6dc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DFF 5084 bytes
font_01_sfnt_off00007f60.bin
25f81fb263cd02bcc9fdb6bbe9206503f878f82c8d505dede66fe8f2b1e29e86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F60 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.