Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ed8ea5d8f0ec519…

MALICIOUS

PDF

88.4 KB Created: 2020-09-01 08:50:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9f9e663fc37d6173637061e396c9f84 SHA-1: 14b4424d2c659ff5f7b2fd219f2f47f696115fde SHA-256: 1ed8ea5d8f0ec519ac27040cf5593d81e4d7b8ab9a8935e3feb2c69bfad470cd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. This URL is embedded within the document body, disguised as a download link for 'Pirates of caribbean 4 english subtitles'. The ML classifier also strongly flagged this PDF as malicious. The presence of a link farm heuristic further indicates malicious intent, likely for SEO poisoning or traffic redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9857

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=pirates+of+caribbean+4+english+subtitles
    • https://static.usrfiles.com/ugd/eb5a6a_e474b8e481514ac391d65cf89718e17e.pdf
    • https://static.usrfiles.com/ugd/136d07_66de4a432d5c4d8087855bd5722358b7.pdf
    • https://static.usrfiles.com/ugd/52b593_4be290cb431845d6993bc439d6360488.pdf
    • https://cdn.shopify.com/s/files/1/0441/4029/8392/files/credo_catolico_largo.pdf
    • https://cdn.shopify.com/s/files/1/0430/5590/6967/files/mojagisijuzi.pdf
    • https://cdn.shopify.com/s/files/1/0459/6049/5263/files/napidalojira.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wososopozabe.pdf
    • https://cdn.shopify.com/s/files/1/0430/5063/1319/files/topographical_anatomy_and_operative_surgery_textbook_for_english_speaking.pdf
    • https://cdn.shopify.com/s/files/1/0434/5636/4711/files/wozifawiriripoxe.pdf
    • https://static.usrfiles.com/ugd/764aaa_2a6ee2c5f3e741e9bf10ca69da874faa.pdf
    • https://static.usrfiles.com/ugd/ea9bdf_af60765d0a1a4ba7aed8cef3a6831dc7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_016_off000120e9.bin
375d692354f5ee5308284a7c795b310d3f7328fb56ec8604abc24934b6e33f39		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x120E9 18680 bytes
font_00_sfnt_off0000558c.bin
b6d8f72b59c47e884b0b6746a25c5cbd96eb494928042fd8f7d2b0ad088f297a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x558C 7916 bytes
font_01_sfnt_off000069eb.bin
004b75f9a2b6dad045ff2502906bc075ada76e11c2e257cacb64b4fc660277a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69EB 3468 bytes
font_02_sfnt_off00007661.bin
374f340f15f175ab2bf503314abf39cf0655b104e69f3a5b66b9b4a92db30a92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7661 5372 bytes
font_03_sfnt_off000088a4.bin
1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88A4 2656 bytes
font_04_sfnt_off000093a9.bin
b7882c459d94d9fb05ee491b72d0ee9c35e8d4bc9ed5787c7a0b3ba78fd6bc86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93A9 4140 bytes
font_05_sfnt_off0000a0c7.bin
e23308bb06bff427f4fe2d795198e016b2e9db23d45fd702446b15ef1a1323d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0C7 3048 bytes
font_06_sfnt_off0000acd3.bin
6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACD3 2328 bytes
font_07_sfnt_off0000b78b.bin
d4cda5a9ecb2558448f754249352cd4d73a8f7efff03060ee9a54ebf713292d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB78B 2604 bytes
font_08_sfnt_off0000c263.bin
869700f7b438b0b0f23cfbf3a170597ae1a6b01e9ba9f60fe7298d5eefb98f81		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC263 3840 bytes
font_09_sfnt_off0000d070.bin
b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD070 2108 bytes
font_10_sfnt_off0000da47.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA47 4336 bytes
font_11_sfnt_off0000e7e6.bin
0b38f6fd5e0b54bfa22d5adee1cfe00629fe134100fc7cfc1ad14a2ab7974207		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7E6 6148 bytes
font_12_sfnt_off0000f7d0.bin
a9c04325ca5a953aa3962cc34ecf6619a924d1f3dc7b271b703d0638646eb66c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7D0 12372 bytes
font_14_sfnt_off00013f7c.bin
1cc80836e0a54a2c4db1185994f1ac0eab94f7f28d8d60f500043b8ef5b5dd0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F7C 3536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.