Malicious PDF — malware analysis report

Static analysis result for SHA-256 32722c7c9e5c196e…

MALICIOUS

PDF

58.5 KB Created: 2020-08-31 09:20:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a73606fbdb9d678ce11a918d26705137 SHA-1: f6d6acd8902af0b12ab40c8bde36970f6e574433 SHA-256: 32722c7c9e5c196eb98e1f10bda72b857b56cf4cbecd6e4011c13120f7270e54
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. Additionally, another critical heuristic indicates a PDF link farm, with numerous external links, many hosted on Shopify and static.usrfiles.com. The ML classifier strongly flagged this PDF as malicious. The primary malicious IOC is the redirector URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=les+trois+mondes+selon+deng+xiaoping
    • https://cdn.shopify.com/s/files/1/0431/3343/6055/files/maromaduwe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/37394074323.pdf
    • https://cdn.shopify.com/s/files/1/0432/2315/4847/files/zimudusezegazewu.pdf
    • https://cdn.shopify.com/s/files/1/0434/4673/0904/files/xarukamedoxuminavonurav.pdf
    • https://static.usrfiles.com/ugd/2c608b_2880ec76809045e1bb6afc1ad2f70a73.pdf
    • https://static.usrfiles.com/ugd/0dd040_e518febe3d764b7faa9e50e5d03e1984.pdf
    • https://static.usrfiles.com/ugd/33a16d_9c47412791e94822af2cf8707b9df663.pdf
    • https://cdn.shopify.com/s/files/1/0427/4749/4567/files/tabitamezogewerinor.pdf
    • https://cdn.shopify.com/s/files/1/0428/4920/6439/files/11328179608.pdf
    • https://static.usrfiles.com/ugd/9d869b_f6b3d73a25584719b848301206223d84.pdf
    • https://static.usrfiles.com/ugd/74c34a_9f711f53e12043fda00480f9b4a66d0e.pdf
    • https://static.usrfiles.com/ugd/aa14a9_302e6da555a54b8b8820cffb8492bc08.pdf
    • https://static.usrfiles.com/ugd/6a22cb_3cc1a0843f1748b39b2ae5d1f61fffe5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007f31.bin
9f9a4ee4f964f59496c56213c040bec760c082200a7f9b01a15a7497994b0f85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F31 5076 bytes
font_01_sfnt_off0000905b.bin
fd9e290f45d08153b79df11943a7580c6333c58ce244ab157003c36b7c1ba678		 pdf-font-stream PDF embedded font (sfnt) at offset 0x905B 12836 bytes
font_02_sfnt_off0000b85a.bin
6d49c5076e43e024c29311683f1fbefb413b168b07b361c28ece64bf6ad50fdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB85A 16076 bytes
font_03_sfnt_off0000ccf5.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCCF5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.