Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dd05c39d7b44c58…

MALICIOUS

PDF

112.5 KB Created: 2020-09-17 11:24:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00ba872d768d9fee8010f93e9b0d284d SHA-1: 87a096a36f468b6f9948901ef1e1edcd6d9d7c16 SHA-256: 3dd05c39d7b44c58366402863d61ae6f6dec6116416701ea2382357fd4c287c1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=money+dance+song+2017'. This URL is presented within the document body, suggesting a social engineering lure to trick users into visiting a malicious site. The PDF also exhibits characteristics of a link farm, further indicating malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=money+dance+song+2017
    • https://96ac6618-e0eb-407d-937c-8c7860dc79c2.filesusr.com/ugd/99afdc_e9e1ed05b8ad4c61a99dfadf32713b26.pdf?index=true
    • https://e620dd12-8c4e-448f-835a-0d5e51ca1b10.filesusr.com/ugd/a2e20a_9a13fc769d304edc80e7c07ca57cf15f.pdf?index=true
    • https://01cbe456-fa3f-4567-838e-59f302007cbc.filesusr.com/ugd/0c8cc8_68fad3188276428db6cb9840da2f55d4.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0437/8833/7303/files/pocket_guide_to_clinical_examination_epstein.pdf
    • https://cdn.shopify.com/s/files/1/0431/0096/2967/files/leptospirosis_treatment_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0434/1645/3272/files/2017_chevy_impala_lt_owners_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/5920/6558/files/ganpati_atharvashirsha_in_marathi_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/2454/0071/files/wupowuxuwugumejizaroj.pdf
    • https://cdn.shopify.com/s/files/1/0432/5664/3739/files/52442273111.pdf
    • https://20b44dae-efa8-4908-84df-f6bc35aeb94e.filesusr.com/ugd/f1780b_8b623f9a634c4eec8c76f8f863d2aa11.pdf?index=true
    • https://be6f3265-b29a-4f6e-9eef-4e54451db396.filesusr.com/ugd/8c5bc8_43c91ee5508c42f78791ded18fc66df9.pdf?index=true
    • https://a99d6bdb-bd7b-481f-984d-d0a04ff5a4c7.filesusr.com/ugd/b73feb_6cdb6b458def415fbe9e279b6591f238.pdf?index=true
    • https://029bac6b-3ea6-4511-aa43-da6d68dce90c.filesusr.com/ugd/c0fca2_3ddebb9b30d844da81edc99503b00c9d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000153a2.bin
2a1d0c42dc2e50a49cb201398b713ee3fdb383622a66a4ff21b7896ad65a32d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x153A2 3744 bytes
font_01_sfnt_off00016115.bin
ada1d4fa2be6a469df8df056ecd2f4fd79c6d390549e3cd46ec5b7ad21945b2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16115 5492 bytes
font_02_sfnt_off000173f0.bin
2eb6720d1c160142c0e8c48d4e4757c35821debb35d12638937f971cc3f6577b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x173F0 2196 bytes
font_03_sfnt_off00017de1.bin
be38186c9256ba0e64b07d34cca2e63b176d3ffd182ae4667a642b503e748fe0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17DE1 6148 bytes
font_04_sfnt_off00018dc1.bin
124d1677943da4d96b23454d996084933d74f4f969055422fe5e8ded6d509047		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18DC1 11348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.