Malicious PDF — malware analysis report

Static analysis result for SHA-256 35becf539cbb5827…

MALICIOUS

PDF

38.4 KB Created: 2020-08-28 21:48:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a77a4f2ebc6a8267743e9d4b3aa9cd5e SHA-1: aae813473da60663c1e8081e8363492b44ed168c SHA-256: 35becf539cbb5827b1524666e44886685de46aa3bf66e4e511f90820c3a728df
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including one pointing to a known malicious redirector infrastructure at 'ttraff.ru'. The document body, though heavily obfuscated, contains the same URL and a reference to 'wkhtmltopdf', suggesting it was generated programmatically. The presence of a link farm and a malicious redirector indicates an attempt to drive traffic to malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=cheap+hotels+in+chelsea+new+york
    • https://cdn.shopify.com/s/files/1/0431/0233/9232/files/tekeragizubowewevasik.pdf
    • https://cdn.shopify.com/s/files/1/0430/8529/9876/files/24550963765.pdf
    • https://cdn.shopify.com/s/files/1/0433/8457/0012/files/42822413730.pdf
    • https://static.usrfiles.com/ugd/b8c837_814beba33fbf4176a8a69cdb8eead0bf.pdf
    • https://static.usrfiles.com/ugd/b8c837_88337e4664b04b30ac83f69ffabd745e.pdf
    • https://static.usrfiles.com/ugd/b8c837_81b48788db024d088584af02255238f5.pdf
    • https://static.usrfiles.com/ugd/b8c837_b0e989ece0c043408877d2cb320f75f9.pdf
    • https://static.usrfiles.com/ugd/b8c837_b89d1339c7be4540bef989657ddeba12.pdf
    • https://static.usrfiles.com/ugd/b8c837_172efa5ee21f4ac49c4e42bfffa82872.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/b8c837_88337e4664b04b

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000596e.bin
4a11304a53514fdca49084c11d55974ceb7d4a3295eeda6d54a485ec2960e3df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x596E 5184 bytes
font_01_sfnt_off00006b17.bin
728d4124f992ac561ca4054cbb1acb7672c3b5e6c7b23fba040e8f02c11b738c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B17 9884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.