Malicious PDF — malware analysis report

Static analysis result for SHA-256 242c55d700cd4438…

MALICIOUS

PDF

46.3 KB Created: 2020-08-10 06:40:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 994adf4ec2e98af32eacf3e902146667 SHA-1: 81b3b744876202737eb34ef49a41158fbeccde52 SHA-256: 242c55d700cd44381835ee9a0b37c58e9f4e6aab507b7adcf0a5d27982c9fbc8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to domains associated with link farms and redirectors, such as ttraff.ru. The document body, though heavily obfuscated, contains references to academic material and the malicious URL, suggesting a lure to trick users into visiting potentially harmful sites. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=strength+of+materials+pdf+singer
    • http://files.newhavenpanhel.org/uploads/1/3/0/7/130740538/6426385.pdf
    • http://files.whistlingfrogresort.com/uploads/1/3/2/6/132681002/masaberilanimubaloji.pdf
    • http://files.auscamfreedomproject.org/uploads/1/3/1/4/131437530/domejafofovafi_ratewefutu_remavixoxufinuk.pdf
    • http://files.sfcnewhire.com/uploads/1/3/1/3/131380482/fikux_wuwit_mobulida_fowad.pdf
    • https://cdn.shopify.com/s/files/1/0428/4071/9516/files/rudenetusaxedaba.pdf
    • https://cdn.shopify.com/s/files/1/0434/3398/4157/files/45857169591.pdf
    • https://cdn.shopify.com/s/files/1/0433/5117/9416/files/nirodeselagorefuje.pdf
    • https://cdn.shopify.com/s/files/1/0430/1688/0281/files/tebifodar.pdf
    • https://cdn.shopify.com/s/files/1/0435/7046/2883/files/nowatozer.pdf
    • https://cdn.shopify.com/s/files/1/0438/8945/9368/files/tanosediwiziki.pdf
    • https://cdn.shopify.com/s/files/1/0436/0978/4482/files/dofitetadanu.pdf
    • https://cdn.shopify.com/s/files/1/0429/3692/6374/files/40136135156.pdf
    • https://cdn.shopify.com/s/files/1/0433/9433/4869/files/7025928306.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062f2.bin
9c33967c76a71a0a4989ded0c96b4664e947e28842021579e3fa3ce27db2f0a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62F2 5560 bytes
font_01_sfnt_off000075a4.bin
33d80b5e357abfa3ea91f5eff18928953f8e36d8e9a7aea158c838e8ae756dd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75A4 2116 bytes
font_02_sfnt_off00007f6e.bin
7b33eaed30e6c996d69ee1c0f6b57826f4ffa36a630c65fc121fea82a97d5d60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F6E 13900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.