Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e5d4ff676aaaae3…

MALICIOUS

PDF

40.2 KB Created: 2020-09-06 20:40:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: cd58b3d2405b3468cc370bbde8f76aa6 SHA-1: bba155fcbd479a74f0c09c093ae92c820bbcc5b7 SHA-256: 1e5d4ff676aaaae3470b2497fb4cf861fde84c3c43056197bd03668268262cc4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains embedded links designed to redirect users to malicious infrastructure, specifically identified by the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic. The document body, though heavily obfuscated, contains a URL that appears to be part of a link farm strategy. The primary malicious URL is https://ttraff.ru/wix?keyword=manufacturing+balance+sheet+example, which is likely used to distribute further malicious content or phish for information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=manufacturing+balance+sheet+example In PDF document text
    • https://static.usrfiles.com/ugd/3ed44c_be24a5c8630a47c8bc8f211cc6cd0e09.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/19103d_ad55805e1d144e749ccaea45efdcf196.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_e43df2f9b04c402e848935d96cd244f6.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/76dd3d_a1dd666e8fa444ba90b2564273c67ac2.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/8463/5544/files/17183801098.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/8032/7076/files/gimp_blur_tool.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/81ef4b_e9e4753de0234137ba7a3d4ffc017424.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/0df15e_4bad3b13a90f4b25b4d35cab486e8225.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/fb83f1_fdce0182d1774c31a6a5bea8d98640ad.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/9fc8c3_2456ec4536cb47ceb9f5a39870a389f9.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/ace02d_d1908e2e0c5a4220922ec2653ae62437.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.