Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff10f23c25c5c331…

MALICIOUS

PDF

54.9 KB Created: 2020-08-31 05:42:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9d130fbe6addb3260ba66cb84d334635 SHA-1: a97cec7241ff761e1951cb97a3e6f3f5017d853d SHA-256: ff10f23c25c5c33115149d52d463b3f71ebcb72d4d78c6214e291bb5cc045350
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple heuristics as malicious, specifically for containing a link to a known malicious redirector at 'https://ttraff.com/wix?keyword=fonema+r+suave+eliminar'. The document also contains a large number of external PDF links, many hosted on static.usrfiles.com, suggesting a link farm or SEO poisoning attempt. The ML classifier strongly supports the malicious verdict. No scripts were extracted, and the document body is heavily obfuscated, but the presence of the malicious redirector is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=fonema+r+suave+eliminar
    • https://static.usrfiles.com/ugd/b8c837_d7ef624ea4c24ec9b07957656968102d.pdf
    • https://static.usrfiles.com/ugd/b8c837_b3fef2bdc9964125807655ed9b5e839e.pdf
    • https://static.usrfiles.com/ugd/b8c837_20ef6ccba5964ecfb694e2da3c44c52b.pdf
    • https://static.usrfiles.com/ugd/a18aa6_26f41e8387d44b0e944ac05c01232bfb.pdf
    • https://cdn.shopify.com/s/files/1/0432/6719/5040/files/kejibupoketogebisizomogil.pdf
    • https://cdn.shopify.com/s/files/1/0427/5693/1751/files/le_journal_d_aurelie_laflamme_tome_1.pdf
    • https://cdn.shopify.com/s/files/1/0433/2614/4670/files/21053743629.pdf
    • https://static.usrfiles.com/ugd/2f3ac6_8de05ba7d2054dca8d67c782f62dd552.pdf
    • https://static.usrfiles.com/ugd/43d598_346c51631336481e924e4ce9f03093ef.pdf
    • https://static.usrfiles.com/ugd/3f4b99_975f0380ecd54492ab391e82f70ec55c.pdf
    • https://static.usrfiles.com/ugd/451a43_e4ea1588978c4818a31df7499feebe2a.pdf
    • https://cdn.shopify.com/s/files/1/0432/0552/5661/files/vujebuzuzizutedurerekafa.pdf
    • https://cdn.shopify.com/s/files/1/0434/6268/8918/files/zetupemi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8694/6206/files/83423497559.pdf
    • https://cdn.shopify.com/s/files/1/0430/3834/3322/files/nubogom.pdf
    • https://cdn.shopify.com/s/files/1/0434/9168/8610/files/60739353893.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006319.bin
18f4960a52d64bc83d6c304eee4b25c9ca37eec54c0f4efd5701b5568bea1fd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6319 6568 bytes
font_01_sfnt_off00007368.bin
18d17102e0c8e6d25fdd1fd3f047cc39c48343e2db2d149d42288db5b027dfa7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7368 4848 bytes
font_02_sfnt_off000083bd.bin
1de02c2199b601e14817e82402db2382a0a8fc899f49f965d7e82b23e069b554		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83BD 3260 bytes
font_03_sfnt_off000090f7.bin
44e116141ef8754405dd10b903168e075824c36f7ba5286872d0cbc238c5052a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90F7 11412 bytes
font_04_sfnt_off0000b68a.bin
55db1795a335ababb809e11894f2738b68b50beb681efebf21149f0dce1d66d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB68A 16324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.