Malicious PDF — malware analysis report

Static analysis result for SHA-256 4185b05c796e1efe…

MALICIOUS

PDF

169.7 KB Created: 2020-09-17 02:27:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f16026237276e9ff1be9a3640278ce84 SHA-1: d150d59c43be5ecfd584aa406c3db5997bf15942 SHA-256: 4185b05c796e1efeb18a18f11c68bc2bbfbfcc17d91ea361db882adfabc5e822
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=special+characters+lol+club'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The ML classifier also flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8587

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=special+characters+lol+club
    • https://ec027611-4bdf-4071-be81-8889289bb823.filesusr.com/ugd/ea2f88_25d66240da8a466b97fe57a3263cb694.pdf?index=true
    • https://dc7751dc-2d66-4a39-8982-d7e46b23011b.filesusr.com/ugd/c068f8_11f353322db5486c9975a2636799cfac.pdf?index=true
    • https://f980f87d-445d-4f9f-b86d-018e2ddd8db2.filesusr.com/ugd/fc840b_d8fc2cb9eeda46e6b2498632dc72832e.pdf?index=true
    • https://322db7fd-9547-4cf9-b0cc-6dbfb07cfa67.filesusr.com/ugd/76de1a_84e290173c944cbcb7350b870c345f3e.pdf?index=true
    • https://8a0f8d7a-73e4-4914-8ac7-0ef4e1484dff.filesusr.com/ugd/7d1dc9_a7c4f96680a6420191c763f498a60463.pdf?index=true
    • https://1476a1ba-32a6-4fa0-a24f-5009a7ddecd9.filesusr.com/ugd/eb4c03_f91803a802b74aca8bf880fda5107c8b.pdf?index=true
    • https://2740c42e-4057-422b-a00c-6b644e6cceef.filesusr.com/ugd/9c66ff_94ec3e1c550c405297f3b71a7d104c5e.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/8307/1650/files/mikigemifidegebukigi.pdf
    • https://cdn.shopify.com/s/files/1/0433/3876/0342/files/zaseno.pdf
    • https://cdn.shopify.com/s/files/1/0465/5788/8662/files/usa_visit_visa_form_from_dubai.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00010b6c.bin
f930b9911e9640bd8b8d81759c3fade2d61b28df98256a7261ad24f1da5cabc5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10B6C 1788 bytes
font_00_sfnt_off00009cbf.bin
1b8f6214ca004dd94e0622e71ca577714f40cb9e8a78ded0d14d8c5ea3812498		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CBF 7016 bytes
font_01_sfnt_off0000ae84.bin
281758de262581e80a3ec7919ef70a7eee0fe76fc232a0cb5745c284de163204		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE84 15992 bytes
font_02_sfnt_off0000d4f1.bin
edb7aa2aaa0259dc6e2bae63150acb974f93838bdafc1686e320cf498cbc7046		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4F1 5040 bytes
font_03_sfnt_off0000e615.bin
bf3150ae3ab4155a537da946c997ce6752a6e8ad50f6cad4342806fe1cfe4d7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE615 2308 bytes
font_04_sfnt_off0000efcd.bin
8a6edaccbce58049240be228b0be91666f9828dda6623101afe8d0a143f481fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFCD 6228 bytes
font_05_sfnt_off0000fef5.bin
3a22ad57fc344cc97733ae57b5f82abd0228d68a3d60ba4e6050f1da2789c059		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEF5 3992 bytes
font_07_sfnt_off00011495.bin
f0058b2c383923b68f637ad86b387d4d0b93737e88d4f740b7a4a62bb3d5ed39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11495 2120 bytes
font_08_sfnt_off00011d9a.bin
09cd6703a9b55630c0ed9215a049f5f0f099ab821b1ae03ba19a8f534a9785b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D9A 1688 bytes
font_09_sfnt_off00012601.bin
9eb56e0b1f0fa330aad6b229d193ca5596f24b725ba3e5dd745ba8e7dba20ad8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12601 6068 bytes
font_10_sfnt_off0001358b.bin
e3129d8fc7dfb3e7165b17ed058ca5882b5c958742b4a03ab1a517e24e2ea623		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1358B 27216 bytes
font_11_sfnt_off000182a9.bin
bb06313e6f5ba048d8f203f4de2e6e2bc0fb4aae6df8df378d0d79d15ed3f795		 pdf-font-stream PDF embedded font (sfnt) at offset 0x182A9 97724 bytes
font_12_sfnt_off00026c9c.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26C9C 4324 bytes
font_13_sfnt_off00027aa6.bin
a266c491f4931368510dae9bd4cf4b58734b51aa8192ea38aee5fe523c195c0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27AA6 2572 bytes
font_14_sfnt_off000284f6.bin
d9820a798b6a36ad18f978c06176ca110a05c430e7f9a50ed254548889e59744		 pdf-font-stream PDF embedded font (sfnt) at offset 0x284F6 6164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.