Malicious PDF — malware analysis report

Static analysis result for SHA-256 40550977aea67615…

MALICIOUS

PDF

44.0 KB Created: 2020-08-31 21:52:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0f66bce7d9f27e3de15b920d0255a26c SHA-1: c635b80b8815b77d98b64287926fe87c9c090b7f SHA-256: 40550977aea67615389ee3f8c44304ec953bdd98a21f24b2a1a5520c880c264e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one critical heuristic identifying it as a malicious redirector. The document body, though partially garbled, suggests a lure related to "Crown paint thinner msds sheet" to entice users to click on these links. The primary malicious URL identified is https://ttraff.ru/wix?keyword=crown+paint+thinner+msds+sheet, which is likely used to redirect users to further malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=crown+paint+thinner+msds+sheet
    • https://static.usrfiles.com/ugd/19103d_d975bf2643b44c30936c7252edce4369.pdf
    • https://static.usrfiles.com/ugd/b8c837_57315f2387064f5b9116b351a20719dc.pdf
    • https://static.usrfiles.com/ugd/269bb8_d0ec4bbc4c7747febb79e0d22b5a36d5.pdf
    • https://static.usrfiles.com/ugd/b8c837_be15e82486eb4077ada1821a06a4844a.pdf
    • https://static.usrfiles.com/ugd/b8c837_1bb2aa7339834f3a8358bd9568f5b3e9.pdf
    • https://static.usrfiles.com/ugd/4b874d_0d32b0b8ffc345c18f8c00a7c2d7a8be.pdf
    • https://static.usrfiles.com/ugd/fd7405_8504828aa85f4ddfb0390126923a4054.pdf
    • https://static.usrfiles.com/ugd/b8c837_70871d3d0f7e48c7a2680046aef1b088.pdf
    • https://cdn.shopify.com/s/files/1/0431/9831/6707/files/kekuvutokiloleximadag.pdf
    • https://cdn.shopify.com/s/files/1/0449/7106/5503/files/caterpillar_diesel_generator_operation_and_maintenance_manual_in.pdf
    • https://cdn.shopify.com/s/files/1/0436/9294/9658/files/99322802481.pdf
    • https://cdn.shopify.com/s/files/1/0428/4517/5971/files/tuvezitapizodoteboz.pdf
    • https://static.usrfiles.com/ugd/ab922d_809301c9ac534b908da8070e0e712e62.pdf
    • https://static.usrfiles.com/ugd/b8c837_9585a4372f034e088ff4e54519a577d5.pdf
    • https://static.usrfiles.com/ugd/64d889_aad231ed2d254f8eb6daf0171bb3054b.pdf
    • https://static.usrfiles.com/ugd/15cd4d_05d99776667b4f4e8c0834cbda4a8caf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000609b.bin
6da117d8cad750674fe1d09b5b231beb68aa014208d5014085955c8e768f8234		 pdf-font-stream PDF embedded font (sfnt) at offset 0x609B 5164 bytes
font_01_sfnt_off00007209.bin
3106bd47f9207088a3d019f75d45a078d3e98a286993389794924d3d6729e27e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7209 15916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.