Malicious PDF — malware analysis report

Static analysis result for SHA-256 28e418d3be6d971e…

MALICIOUS

PDF

48.9 KB Created: 2020-07-20 03:12:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c07e46bb03c4ed1472d90bd9c0c71e5a SHA-1: 7f72ab0d3d7a06bb297441f45bc383800acb49e4 SHA-256: 28e418d3be6d971ef7dc61a6d83ef878ad97936d6a40257d8ab4441cf32f74a1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link pointing to 'ttraff.ru', which is flagged as malicious. Additionally, the PDF exhibits characteristics of a link farm, embedding numerous external links, many of which point to Shopify domains. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be luring the user to click the malicious link under the guise of accessing a 'lean production definition pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=lean%20production%20definition%20pdf
    • http://files.pianolessonsbyjulie.com/uploads/1/3/1/3/131380868/59baef08.pdf
    • http://files.kroepfer-club.com/uploads/1/3/1/6/131606965/zoxuta_peguma_jowigamebawova_diborib.pdf
    • http://files.dancedesign.org/uploads/1/3/0/7/130739444/041c01e1dc9.pdf
    • http://files.autismhr.com/uploads/1/3/1/1/131164117/b172eb.pdf
    • http://files.brandonrdavis.com/uploads/1/3/1/3/131398533/rukenamereluma-xejubivonuri-resagog.pdf
    • https://cdn.shopify.com/s/files/1/0431/6682/6656/files/77990465744.pdf
    • https://cdn.shopify.com/s/files/1/0431/7190/5698/files/valojevisifujewerilofaxa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/86187089948.pdf
    • https://cdn.shopify.com/s/files/1/0429/2981/5705/files/bipafuzuzibazoloweda.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/41448402009.pdf
    • https://sikepoba542369694.files.wordpress.com/2020/07/kelixuxififoremikuxux.pdf
    • https://viledegup.files.wordpress.com/2020/07/luwafiwusujawesosar.pdf
    • https://lezidonopo.files.wordpress.com/2020/06/12786432543.pdf
    • https://cdn.shopify.com/s/files/1/0428/7725/5836/files/98931641474.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/30617095305.pdf
    • https://cdn.shopify.com/s/files/1/0433/7342/8888/files/padegememaxirirokifit.pdf
    • https://cdn.shopify.com/s/files/1/0429/4567/5420/files/jetukolelopura.pdf
    • https://cdn.shopify.com/s/files/1/0430/6183/7981/files/53447985477.pdf
    • https://cdn.shopify.com/s/files/1/0431/2186/8960/files/16169983621.pdf
    • https://cdn.shopify.com/s/files/1/0434/0839/2353/files/42649798704.pdf
    • https://cdn.shopify.com/s/files/1/0433/5117/9416/files/dujoli.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/13170590630.pdf
    • https://cdn.shopify.com/s/files/1/0432/7600/9622/files/subujadugivasap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000082ef.bin
c1618122e7424572699d3e98154a3503b3ed30da214b6c07b08827ead6f89492		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82EF 4760 bytes
font_01_sfnt_off0000932a.bin
f19ca80831a95488a8794a0e17e84758e0580c59a61df52e475dd8bc6e8a2916		 pdf-font-stream PDF embedded font (sfnt) at offset 0x932A 10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.