Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b9b30774f9ed82f…

MALICIOUS

PDF

83.2 KB Created: 2020-08-30 21:46:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b00de154ea40c63da4cb698855ae65ba SHA-1: c8bf86cddb631a3e02234ab23a193cd786232712 SHA-256: 2b9b30774f9ed82f007a39a113119994c2d50ff0dcc9e6d363574f086ad20f7a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a lure related to a video game trophy guide, but the embedded link redirects to a known malicious domain (ttraff.ru). This suggests a phishing or redirection attack. The PDF also contains a large number of links to other PDFs, likely for SEO manipulation to improve the visibility of the malicious redirector. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=sekiro+shadows+die+twice+trophy+guid
    • https://cdn.shopify.com/s/files/1/0427/7141/5196/files/counter_strike_1._6_free_cs_warzone.pdf
    • https://cdn.shopify.com/s/files/1/0459/9844/0605/files/8772932977.pdf
    • https://cdn.shopify.com/s/files/1/0431/0165/1101/files/54392959616.pdf
    • https://cdn.shopify.com/s/files/1/0435/0096/1947/files/biluribupazajilunejuke.pdf
    • https://cdn.shopify.com/s/files/1/0437/9629/9937/files/immune_system_and_disease_worksheet_answers.pdf
    • https://cdn.shopify.com/s/files/1/0430/2936/4899/files/livapo.pdf
    • https://cdn.shopify.com/s/files/1/0429/4977/1430/files/35996449789.pdf
    • https://cdn.shopify.com/s/files/1/0431/8524/2261/files/clarisonic_mia_2_user_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/4993/4229/files/fomosebeduniguxujetu.pdf
    • https://cdn.shopify.com/s/files/1/0435/8527/4024/files/tazuvu.pdf
    • https://cdn.shopify.com/s/files/1/0431/5535/7852/files/game_guardian_4pda_android.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pujofupokutesigitugut.pdf
    • https://static.usrfiles.com/ugd/b8c837_695ba211d7f043d898ec67f7cbd7a68f.pdf
    • https://static.usrfiles.com/ugd/0c8cc8_c83f92870348497f908e352a083580af.pdf
    • https://static.usrfiles.com/ugd/34ec99_978a172064d14665823e18a269d43b96.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000103d0.bin
53c5567e324bd41b97a5eedbe0a1587591cf4c2b1fafa2469f697f2719930016		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103D0 5664 bytes
font_01_sfnt_off00011728.bin
591716c8147d215383d743519c9e058850a9d53f27a0e8e367bbcd1c7f0223bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11728 12528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.