Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a55aefb1a57e7c3…

MALICIOUS

PDF

43.4 KB Created: 2020-08-31 13:01:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 370fc790a7f0de755c3691cdb3c7f24b SHA-1: c4f4a0adfccb6252987d7cc2d5415beefdc03d2e SHA-256: 3a55aefb1a57e7c30908d4583eefe0008bb34c5b0b20fcac0273e89478f2eba5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.ru, which is disguised with a search query for 'Malleswari mp3 songs download'. The document body, though heavily obfuscated, also contains this URL. The PDF also features a large number of external links, many pointing to Shopify, suggesting a link farm or SEO poisoning attempt to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=malleswari+mp3+songs+download
    • https://cdn.shopify.com/s/files/1/0434/7625/4873/files/13637259141.pdf
    • https://cdn.shopify.com/s/files/1/0433/5910/9279/files/69366446188.pdf
    • https://cdn.shopify.com/s/files/1/0441/4255/9384/files/wusuzajasupow.pdf
    • https://cdn.shopify.com/s/files/1/0433/5550/4795/files/54347933064.pdf
    • https://cdn.shopify.com/s/files/1/0435/8835/4207/files/associer_deux_en_ligne.pdf
    • https://cdn.shopify.com/s/files/1/0432/8115/4198/files/jinarivari.pdf
    • https://static.usrfiles.com/ugd/599f1c_10775f8c50034dce93d80ae0f44cefa4.pdf
    • https://static.usrfiles.com/ugd/b8c837_0378499d807e41d8b2a47aa2df882a6c.pdf
    • https://static.usrfiles.com/ugd/58a813_aba7ae8279464825a92ff5538a2428a8.pdf
    • https://static.usrfiles.com/ugd/b8c837_8d6882410fd848d0a33e1b415cfd021a.pdf
    • https://static.usrfiles.com/ugd/b8c837_89d5308107374ac8927f28b604a1b444.pdf
    • https://static.usrfiles.com/ugd/0aab01_cf427628ec914adea10aa56f7f715172.pdf
    • https://static.usrfiles.com/ugd/b13fd1_209edad4fe454aed877f8b102dc53712.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bd1.bin
5b5bc683248d4dfa2f977c438d17f9717c4a9196c21cc6f842bb2a532608c1ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BD1 5540 bytes
font_01_sfnt_off00007ead.bin
82aa41d253705f3883c8604681a4c7a0720f4b07831d4a2ed2e9f10029559ca8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EAD 13808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.