Malicious PDF — malware analysis report

Static analysis result for SHA-256 480300665d67f4a9…

MALICIOUS

PDF

62.1 KB Created: 2020-08-11 16:23:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a47138e484c94d93f7b999c2ed48bcd7 SHA-1: d893e7a4e29538f353c71044bca06794d5d94c06 SHA-256: 480300665d67f4a9df95f70478633d813094be5e8fcc7ccc974479b0363989e2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to potentially malicious redirectors or unknown hosts. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically identifies a link to ttraff.ru, which is known malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious. The document body is heavily obfuscated and appears to contain embedded URLs, further supporting the malicious redirection attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=strength+training+anatomy+3rd+edition+pdf+%25D8%25AA%25D8%25AD%25D9%2585%25D9%258A%25D9%2584+%25D9%2583%25D8%25AA%25D8%25A7%25D8%25A8
    • http://mopajun.highdesertbirths.com/uploads/1/3/1/3/131383483/8415533.pdf
    • http://files.akashachamberlain.com/uploads/1/3/1/4/131437885/tunupesa.pdf
    • http://files.alliesandfriendsmn.org/uploads/1/3/0/7/130740069/nigovebejomuzu-dolub-xapimonijagi.pdf
    • http://files.mothersyoke.com/uploads/1/3/1/6/131607544/1600238.pdf
    • http://daxuvin.myscarsministry.com/uploads/1/3/0/8/130814328/ee71f778bd85d6.pdf
    • https://cdn.shopify.com/s/files/1/0440/6041/0021/files/15507966438.pdf
    • https://cdn.shopify.com/s/files/1/0427/9074/8316/files/30114024963.pdf
    • https://cdn.shopify.com/s/files/1/0438/0796/5345/files/20514879617.pdf
    • https://cdn.shopify.com/s/files/1/0429/5471/9395/files/14_principios_de_deming_calidad_total.pdf
    • https://cdn.shopify.com/s/files/1/0434/7609/1045/files/bacterial_diseases_of_fish.pdf
    • https://cdn.shopify.com/s/files/1/0435/3910/3912/files/cleric_spell_list_5e.pdf
    • https://cdn.shopify.com/s/files/1/0428/9350/8771/files/62514381681.pdf
    • https://cdn.shopify.com/s/files/1/0428/5467/8687/files/zuvofidilavonejo.pdf
    • https://cdn.shopify.com/s/files/1/0430/0485/4426/files/56625419369.pdf
    • https://cdn.shopify.com/s/files/1/0439/3123/8568/files/kiwoz.pdf
    • https://cdn.shopify.com/s/files/1/0433/0346/9206/files/24314031834.pdf
    • https://cdn.shopify.com/s/files/1/0432/5975/6708/files/jomisetorixuvuwivakawu.pdf
    • https://cdn.shopify.com/s/files/1/0429/9925/1093/files/ender_io_to_rf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000ba8b.bin
d555fe8e80801b42c673c4f4dbc37e0265b2676dcc05df47ba544d27131cc71f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBA8B 25364 bytes
font_00_sfnt_off00006a4c.bin
3642ec52e30496948aa3f0f655638fcdffc49cef4c3c4e0ec2e0a33899d94d59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A4C 5616 bytes
font_01_sfnt_off00007d3c.bin
8a971fc8cb9e3cc3c5d7d9d0b1836542f8132018f8017b488c6e63c3a3b4aa89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D3C 17080 bytes
font_02_sfnt_off000095cc.bin
bb2641359620cab1f855722e5599974f4640ea32f8ff56121078a8e69ef0a58d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95CC 10672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.