Malicious PDF — malware analysis report

Static analysis result for SHA-256 3861e0211000956d…

MALICIOUS

PDF

41.0 KB Created: 2020-08-31 02:54:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0841270037d1c2430b6dad7f63750df SHA-1: 1d0f6a18e0ccf9676314b0bf763fb4f2d1165f01 SHA-256: 3861e0211000956d564f4242b7ec5b52eed67cdc35394f3afd1c03a700797c50
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a high number of embedded links, a technique often used to create link farms for SEO manipulation or to distribute malicious content. One of the primary links, 'https://ttraff.ru/wix?keyword=artistas+de+musica+ranchera+cristian', is flagged as a known malicious redirector. The presence of numerous other links, many pointing to Shopify, suggests an attempt to obscure the malicious destination or to leverage seemingly benign domains for distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=artistas+de+musica+ranchera+cristian
    • https://cdn.shopify.com/s/files/1/0433/8538/9212/files/23668660600.pdf
    • https://cdn.shopify.com/s/files/1/0431/2665/3079/files/arquitectura_viva_revista.pdf
    • https://cdn.shopify.com/s/files/1/0434/1704/3111/files/5315538276.pdf
    • https://cdn.shopify.com/s/files/1/0431/5466/9729/files/pixajepuboxibobifibatetu.pdf
    • https://static.usrfiles.com/ugd/b8c837_bcd678c7ef524c07bc309c103da931d5.pdf
    • https://static.usrfiles.com/ugd/b8c837_831ea1ebc0e44584ac9a44771be2d06a.pdf
    • https://static.usrfiles.com/ugd/97634b_4fb09830244e442384d660d88aed2a88.pdf
    • https://cdn.shopify.com/s/files/1/0428/9947/2551/files/maulana_abul_kalam_azad_in_urdu.pdf
    • https://cdn.shopify.com/s/files/1/0435/2658/6527/files/arandano_rojo_propiedades.pdf
    • https://cdn.shopify.com/s/files/1/0427/4189/1238/files/fimusezujatajoripizan.pdf
    • https://cdn.shopify.com/s/files/1/0431/7678/8117/files/fezutuwun.pdf
    • https://static.usrfiles.com/ugd/b8c837_62554cc13aa845dcba8afb20289ed26a.pdf
    • https://static.usrfiles.com/ugd/c618e9_1c1875002179449b8a4c4b2c6292fbb3.pdf
    • https://static.usrfiles.com/ugd/49be48_853989b837414054a09d5ead21d404e5.pdf
    • https://static.usrfiles.com/ugd/b8c837_2a84e3cf8b1843ffa0db26a71b05c1a8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ee8.bin
8580b3ee9adff9a64f157e1cbe05b57479cd2de73f8e5b955d2b44ea3b3e0ac8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE8 5136 bytes
font_01_sfnt_off00007022.bin
062eeb810c1972bc34bc5bf07540a2c3d81e998acecb84218d6cbd13c5f8192e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7022 11420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.