Malicious PDF — malware analysis report

Static analysis result for SHA-256 45d4269314a69e37…

MALICIOUS

PDF

49.7 KB Created: 2020-08-21 20:45:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fa48ebed6e2f4ab07bad155d0f988258 SHA-1: 89c86bfe6e5beaa95a4cefc112ea384ff505bfa9 SHA-256: 45d4269314a69e3724240d3c6cd058292a56f43e1382f50e4ac63e7258ee5188
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, contains URLs that appear to be part of a link farm designed to attract traffic. The primary malicious URL identified is ttraff.ru, which is likely used to redirect users to further malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=wavelet+transform+matlab+code+example
    • http://xutoko.flexosupply.com/uploads/1/3/1/0/131070374/gujorisunononoxuxov.pdf
    • http://tinabuful.nickydelariva.com/uploads/1/3/0/9/130969260/mudub.pdf
    • https://cdn.shopify.com/s/files/1/0431/0764/7639/files/muzanetelajirobot.pdf
    • https://cdn.shopify.com/s/files/1/0430/4027/6642/files/remotiwenexogiweju.pdf
    • https://cdn.shopify.com/s/files/1/0430/4610/9341/files/soluwufib.pdf
    • https://cdn.shopify.com/s/files/1/0429/6641/7567/files/ielts_reading_2020.pdf
    • https://cdn.shopify.com/s/files/1/0430/4447/0945/files/gufisiw.pdf
    • https://cdn.shopify.com/s/files/1/0441/0903/7720/files/texas_saltwater_fish_identification.pdf
    • https://cdn.shopify.com/s/files/1/0434/3067/4597/files/428547325.pdf
    • https://cdn.shopify.com/s/files/1/0440/0198/4662/files/dumpper_wifi_hack_free_for_pc.pdf
    • https://cdn.shopify.com/s/files/1/0434/0459/1271/files/57075603495.pdf
    • https://cdn.shopify.com/s/files/1/0430/3103/6053/files/79392559491.pdf
    • https://cdn.shopify.com/s/files/1/0429/8535/7463/files/pamonogumilaxo.pdf
    • https://cdn.shopify.com/s/files/1/0432/4642/0132/files/pasax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006080.bin
f96ed5db7ea2d1ee5d2aae59af246673353b191828c6def2f16ecfd6c9be08ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6080 5320 bytes
font_01_sfnt_off00007283.bin
c02f184e4a3cb774a1c2e42f881e7bfb6e312226e6682aad5545c2aa1f73e34b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7283 10528 bytes
font_02_sfnt_off000096bc.bin
40362fbc9d771ad4ffebf23d851d0e608cbe5e910bc9c9578be8a04431091e8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96BC 16084 bytes
font_03_sfnt_off0000ab69.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB69 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.